Key derivation for a module using an embedded universal integrated circuit card

ABSTRACT

A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

CROSS-REFERENCE TO RELATED APPLICATIONS

This is a continuation of U.S. patent application Ser. No. 16/201,401filed Nov. 27, 2018, which is a continuation of U.S. patent applicationSer. No. 15/680,758 filed Aug. 18, 2017, and which issued as U.S. Pat.No. 10,187,206, which is a continuation of U.S. patent application Ser.No. 15/130,146 filed Apr. 15, 2016, and which issued as U.S. Pat. No.9,742,562, which is a continuation of U.S. patent application Ser. No.14/084,141 filed Nov. 19, 2013, and which issued as U.S. Pat. No.9,319,223, each of which is fully incorporated by reference herein.

The subject matter of this application is related to the subject matterof U.S. patent application Ser. No. 14/023,181, filed Sep. 10, 2013 inthe name of John Nix, entitled “Power Management and Security forWireless Modules in ‘Machine-to-Machine’ Communications,” which ishereby incorporated by reference in its entirety.

The subject matter of this application is also related to the subjectmatter of U.S. patent application Ser. No. 14/039,401, filed Sep. 27,2013 in the name of John Nix, entitled “Secure PKI Communications for‘Machine-to-Machine’ Modules, including Key Derivation by Modules andAuthenticating Public Keys,” which is hereby incorporated by referencein its entirety.

The subject matter of this application is also related to the subjectmatter of U.S. patent application Ser. No. 14/055,606, filed Oct. 16,2013 in the name of John Nix, entitled “Systems and Methods for‘Machine-to-Machine’ (M2M) Communications Between Modules, Servers, andan Application using Public Key Infrastructure (PKI),” which is herebyincorporated by reference in its entirety.

The subject matter of this application is also related to the subjectmatter of U.S. patent application Ser. No. 14/064,618, filed Oct. 28,2013 in the name of John Nix, entitled “A Set of Servers for“Machine-to-Machine” Communications using Public Key Infrastructure,”which is hereby incorporated by reference in its entirety.

BACKGROUND Technical Field

The present methods and systems relate to communications for a module,and more particularly, to methods and systems for supporting an embeddeduniversal integrated circuit card (eUICC) in a module, where the modulecan securely and efficiently derive keys for communicating with a serverand a wireless network, including shared secret keys and key pairs foruse with public key infrastructure (PKI).

Description of Related Art

The combination of “machine-to-machine” (M2M) communications and usinglow-cost sensors, Internet connections, and processors is a promisingand growing field. Among many potential benefits, M2M technologies allowthe remote monitoring and/or control of people, assets, or a locationwhere manual monitoring is not economic, or costs can be significantlyreduced by using automated monitoring as opposed to manual techniques.Prominent examples today include vending machines, automobiles, alarmsystems, and remote sensors. Fast growing markets for M2M applicationstoday include tracking devices for shipping containers or pallets,health applications such as, but not limited to, the remote monitoringof a person's glucose levels or heartbeat, monitoring of industrialequipment deployed in the field, and security systems. Many M2Mapplications leverage either wired Internet connections or wirelessconnections, and both types of connections continue to grow rapidly. M2Mapplications may also be referred to as “the Internet of things”.

M2M communications can provide remote control over actuators that may beconnected to a M2M device, such as, but not limited to, turning on oroff a power switch, locking or unlocking a door, adjusting a speed of amotor, or similar remote control. A decision to change or adjust anactuator associated with an M2M device can utilize one or a series ofsensor measurements. An M2M device may also be referred to as a“wireless module” or also simply a module. As one example, if a buildingor room is too cold, then temperature can be reported to a centralserver by an M2M device and the server can instruct the M2M device toturn on a switch that activates heat or adjusts a thermostat. As thecosts for computer and networking hardware continue to decline, togetherwith the growing ease of obtaining either wired or wireless Internetaccess for small form-factor devices, the number of economicallyfavorable applications for M2M communications grows.

Many M2M applications can leverage wireless networking technologies.Wireless technologies such as, but not limited to, wireless local areanetworks and wireless wide area networks have proliferated around theworld over the past 15 years, and usage of these wireless networks isalso expected to continue to grow. Wireless local area network (LAN)technologies include WiFi and wireless wide area network (WAN)technologies include 3^(rd) Generation Partnership Project's (3GPP)3^(rd) Generation (3G) Universal Mobile Telecommunications System (UMTS)and 4^(th) Generation (4G) Long-term Evolution (LTE), LTE Advanced, andthe Institute of Electrical and Electronics Engineers' (IEEE) 802.16standard, also known as WiMax. The use of wireless technologies with“machine-to-machine” communications creates new opportunities for thedeployment of M2M modules in locations less suitable for fixed-wireInternet access, but also creates a significant new class of problemsthat need to be solved.

One class of problems for using M2M modules with traditional wirelessnetworks results from basic design considerations for the wirelessnetworks, where many wireless wide-area networking standards weredesigned and optimized for mobile phones, including smart phones. A coreelement of traditional wireless WAN technologies such as 3GPP and ETSIstandards over the past 20 years has included the use of a subscriberidentity module (SIM) card within 2G networks and a related universalintegrated circuit card (UICC) for 3G and 4G networks, including LTEnetworks. ETSI standards for a physical UICC as of 2013 include ETSI TR102 216. Traditionally, these cards have been supplied by a mobilenetwork operator (MNO) and contain a pre-shared secret key K in additionto a set of parameters for a mobile phone or user equipment to connectwith the wireless network operated by the MNO. The parameters couldinclude (i) an identity such as an IMSI, (ii) a set of frequencies for amobile phone to scan in order to locate a beacon signal from the MNO,(iii) a preferred access list of other MNOs in order to support roamingin locations where the MM associated with the IMSI is not available, and(iv) many other related parameters as well. The physical media and cardsin the form of a UICC can be appropriate or suitable for a mobile phoneor mobile handset, where an end user can readily replace or “swap out”the physical card as the mobile phone changes geographical locations ordue to other preferences for the subscriber or end-user. Distributors ofeither mobile handsets or mobile phone service can physically insert orchange an appropriate UICC for the mobile phones as well.

However, the rapid growth for “machine-to-machine” applications hascreated significant challenges to the traditional model of utilizingphysical media such as a UICC in order to provide data and parametersfor a module's connectivity to a MNO. Exemplary reasons for potentialdifficulties with physical media such as a UICC in M2M applicationsinclude (i) the modules may be installed in remote locations that aredifficult or expensive to reach after installation, such as, but notlimited to, tracking devices on shipping containers that can moveglobally, (ii) a manufacturer or service provider may prefer for themodule to be hermetically sealed for business or technical reasons,including the physical UICC may not be easily tampered with, and (iii) amodule (such as a tracking device on a 40 foot shipping container) maymove between several different countries, and the lowest costs forInternet or data connectivity through the wireless WAN may be throughutilizing different UICC cards from different operators, but the cost ofswapping the UICC card could be prohibitive.

Other needs for changing a preferred network or network credentialswithout physically changing a UICC exist as well. These needs have beenone motivation for the industry, including ETSI and 3GPP standardsbodies, to consider an embedded UICC, also known as an “eUICC”. With aneUICC, the operation of an UICC can be essentially “virtualized”, suchthat the data and algorithms within a UICC can be processed in softwareand distributed through electronic media (such as, but not limited to, afile transfer or file download). Exemplary benefits and technicalconsiderations for using an eUICC in M2M applications as of November2013 is outlined in ETSI TS 103 383 v12.1, entitled “Smart Cards;Embedded UICC; Requirements Specification,” which is herein incorporatedby reference in its entirety. Note that this published standard fromSeptember 2013, and the standard is primarily in the requirementsdefinition phase, and many of the technical specifications forimplementation and operation of an eUICC will be defined in the future.

Although the use of an embedded eUICC can solve many of the issues fordistributing and managing physical media such as a UICC, many additionalchallenges remain. Many open and remaining challenges for a eUICCpertain to securely and electronically transferring a new set of MNOnetwork access credentials (such as an IMSI and network key K) to amodule in a secure and efficient manner. A need exists in the art for amodule to securely obtain network access credentials. Another needexists in the art for the obtained credentials in a eUICC to be fullycompatible with the significant installed and legacy base of networksthat use a pre-shared secret key K, where the key K serves as thefoundation for authentication and ciphering of data for a mobile phoneor user equipment, including modules using conventional technology. Asuccessful solution to these needs for M2M applications in the form ofan eUICC can also provide a working solution of the needs for regularmobile phones as well, such that a consumer mobile phone could implementand utilize an eUICC in order to eliminate the costs and complexity ofdealing with a physical UICC.

A need exists in the art for module and a mobile network operator tosecurely share a pre-shared secret key K without depending on physicaldistribution of the key K or electronic distribution of the key Kthrough 3rd parties, even in an encrypted form. As currentlycontemplated in November of 2013 by eUICC standards discussed above, apre-shared secret key K and related network access credentials aretransmitted to a module in an encrypted form, including multiplepotential layers of encryption and authentication. The pre-shared secretkey K is also known as key K in 4G LTE and related networks and key Kiin 3G networks. The resulting security for the electronicallytransferred, pre-shared secret key K is no stronger than (i) theencryption on the channel used to transfer key K, and (ii) the securityand chain of control for keys used to encrypt the communications channeltransferring key K to a module or a mobile phone. The MNO using anelectronically transferred key K for network access credentials isdependent on the communications channel for transferring key K, eventhough that communications channel may be outside the control of the MNO(such as at a time when key K is transferred using another MNO or adifferent network).

In addition, over an extended period of time such as several years, amobile network operator could prefer for the key K to periodicallyrotate or change for an individual module or mobile phone in order toincrease security. The continued and extended use of a single key K forall communications with a module or mobile phone can be a security risk,especially with a large volume of data transferred that could be subjectto analysis for cryptographic weaknesses by potential attackers.Additionally, in the future a standard key length for key K may increasefrom today's current 128 bits to a longer key length such as anexemplary 256 bits. With conventional technology where key K is recordedin physical media such as a UICC, the only feasible way to change key Kfor a module or mobile phone is to physically distribute a new UICCcard, with resulting costs and business complexities. A need exists inthe art for a module, including a mobile phone, and a MNO to securelyand efficiently support a change in network access credentials,including a key K for the module connecting to the MNO, withoutrequiring a physical replacement of a UICC or equivalent physical mediarecording a key K.

And other needs exist in the art as well, as the list recited above isnot meant to be exhaustive but rather illustrative.

SUMMARY

Methods and systems are provided for secure and efficient communicationusing a module to communicate with a server and a mobile operatornetwork. The module can support “Machine to Machine” (M2M)communications, also known as “the Internet of things”. The methods andsystems contemplated herein can also support other applications as well,including mobile phone handsets connecting to a wireless network, wherethe wireless network can be associated with or the radio access portionof a mobile operator network. A module in the present invention cancomprise a mobile phone such as a smartphone. An objective of theinvention is to address the challenges noted above for securing thedeployment of modules that can utilize an embedded universal integratedcircuit card (eUICC) and/or also PKI algorithms and keys. The methodsand systems contemplated herein can reduce the need for manualintervention with a module in order to automatically and remotely changenetwork access credentials in order for the module to utilize new ordifferent keys in order to connect and authenticate with a wirelessnetwork. By using an eUICC, such as an eUICC supporting the derivationof keys for secure communication of data between a module and a server,the value and usefulness of modules can be increased for a user and amobile operator network.

Exemplary embodiments may take the form of methods and systems for amodule. The module and a server associated with a wireless network or amobile network operator can include a set of cryptographic algorithmsfor use in sending and receiving data. The cryptographic algorithms caninclude asymmetric ciphering algorithms, symmetric ciphering algorithms,secure hash algorithms, digital signature algorithms, key pairgeneration algorithms, a key derivation function, and a random numbergenerator. The module can utilize a set of cryptographic parameters withthe set of cryptographic algorithms. In exemplary embodiments, themodule and the server can also include a shared secret algorithm and asecret ciphering algorithm.

The module can utilize the set of cryptographic algorithms and the setof cryptographic parameters to securely generate or derive moduleprivate keys and module public keys. A module private key and modulepublic key can be generated either (i) upon manufacturing, distribution,installation, or an initial use of the module, or (ii) at subsequenttimes after initial use such as when a new set of key pairs are requiredor are useful for continued operation of the module. A module privatekey that is loaded into a module by a manufacturer, distributor,technician, or end user can comprise an initial module private key, anda private key that is derived by a module after installation ordistribution can comprise a derived module private key. After derivingthe module public key and module private key, the module private key canbe preferably recorded in a nonvolatile memory within the module.

In a first embodiment, the module can connect with a wireless networkoperated by a module network operator. The wireless network couldcomprise a network based upon wireless wide area networking (WAN)standards such as a wireless network that utilizes Long-Term Evolution(LTE) standards, LTE Advanced, or related networks where authenticationand encryption of data utilizes conventional technology with apre-shared secret key K as defined in the wireless network standards.With conventional technology and these exemplary standards-basednetworks, the pre-shared secret key K is normally recorded in auniversal integrated circuit card (UICC) that is distributed to endusers for insertion into modules and mobile phones. This physicaldistribution of a UICC can create challenges and costs for modulessupporting M2M applications. For example, with conventional technologythe replacement of the UICC in order to connect with a differentwireless network can be difficult or incur higher costs than theelectronic generation and/or distribution of a profile for an eUICC. Theprofile can include data for (i) appropriate network access credentialsand also (ii) network parameters for connecting a module with a wirelessnetwork associated with a mobile operator network. The MNO can processor create data or values in the profile for initial network accesscredentials and the network parameters. A first exemplary embodimentsupports a module using a network module identity to securely change akey K used for authentication without either (i) receiving a newphysical UICC or (ii) receiving a new eUICC profile.

In a first exemplary embodiment, the module can store an initial key Kin at least one of a physical UICC or a “virtual” UICC in the form of aneUICC. The eUICC can record a profile with the initial key K. The modulecould receive the physical UICC or the profile for the eUICC with theinitial key K from either (i) a manufacturer, distributor, installer, orend user, or (ii) via a network. In the case where the profile for theeUICC is received via a network (which could comprise a differentwireless network than the wireless network for the module to use theeUICC profile), the network could be a prior network the module connectswith before applying and using the profile for the eUICC. The profilefor an eUICC can include the equivalent data that is recorded in aphysical UICC, such that the eUICC operating with an activated eUICCprofile can provide functionality to a module that is equivalent to aphysical UICC. After recording the initial key K and related networkaccess credentials and network parameters, the module can connect andauthenticate with the wireless network using the initial key K. Theauthentication could comprise steps established in standards includingsending a network module identity (which could be an IMSI or relatedidentity), receiving a RAND value, inputting the RAND into the UICC oreUICC, receiving a RES value from the UICC or eUICC, and sending the RESto the wireless network.

Either before or after authentication with the wireless network usingthe initial key K, the module can use the set of cryptographicparameters and the set of cryptographic algorithms to derive a moduleprivate key and a module public key, which can comprise a module PKI keypair. The module PKI key pair could be processed according to a varietyof cryptographic algorithms, including the use of RSA-based algorithmsand elliptic curve cryptography (ECC) algorithms. In an exemplaryembodiment, the module can derive the module PKI key pair with ECCalgorithms in order to reduce the processing power and bandwidthrequired, where a similar level of security can be achieved with shorterkey lengths using ECC algorithms compared to RSA algorithms. In anotherembodiment, RSA algorithms can be used to derive the module PKI key pairin order to support legacy software and systems that utilize RSAalgorithms for public and private keys, and related cryptographicoperations including signatures with the digital signature algorithm(DSA). The module can also derive a key K module token using the derivedmodule private key. For embodiments where ECC algorithms are used toderive the module PKI key pair, the key K module token can comprise themodule public key, although different values for the key K module tokencan be utilized as well.

Continuing with the first exemplary embodiment, after authenticationwith the wireless network using the initial key K, the module can sendthe derived key K module token to the wireless network. The module cansend the key K module token to a server associated with or operated bythe mobile network operator. The mobile network operator can record thatthe key K module token is associated with the network module identity,in order to track a plurality of modules and key K module tokens. Themodule can derive a secret shared network key K using a key derivationfunction. The key derivation function can use as input the derivedmodule private key, the set of cryptographic parameters, and a key Knetwork token. The key K network token and the set of cryptographicparameters for the key derivation function could be (i) recorded in theUICC or eUICC profile, or (ii) received by the module from the wirelessnetwork after connecting with the initial key K. The secret sharednetwork key K can comprise a second key K, different than the initialkey K, for the module to authenticate with the wireless network, andalso encrypt/decrypt data with the wireless network. A server operatedby a mobile network operator and associated with the wireless networkcan use the key K module token received from the module to also derivethe secret shared network key K.

Continuing with the first exemplary embodiment, after both the moduleand the server have derived the secret shared network key K, the modulecan subsequently authenticate with the wireless network using themutually derived secret shared network key K. The authentication couldcomprise steps established in standards, including sending the networkmodule identity (including using the same network module identity aswith initial key K, although the module could also change the networkmodule identity), receiving a RAND value, inputting the RAND and thederived secret shared network key K into a set of cryptographicalgorithms, calculating a RES value using the set of cryptographicalgorithms, and sending the RES to the wireless network. Additional keyssuch as cipher keys, integrity keys, and symmetric ciphering keys canfurther be derived by both the module and the wireless network using thesecret shared network key K and the RAND value. In this manner, a moduleand a mobile network operator can mutually derive a secret sharednetwork key K instead of requiring the physical or electronicdistribution of key K, thereby increasing security and flexibility forcommunications between a module and a wireless network.

A second exemplary embodiment can support a module changing a key K usedto (i) authenticate with a wireless network and (i) cipher/decipher datawith a wireless network. The module can change key K without requiringthe manual exchange of a UICC or other physical intervention. The modulecan use an eUICC profile and change key K while using the same eUICCprofile. The module, could also comprise a mobile phone such as, but notlimited to, a smart phone. The module can include a module identitywhich is recorded into a read-only or protected address uponmanufacturing or distribution of the module. The module can receiveeUICC profiles from an eUICC subscription manager. The module can usethe module identity to identify the module with the eUICC subscriptionmanager and also an initial private key to authenticate and/or cipherdata with the eUICC subscription manager. The eUICC subscription managercan use a server in order to communicate with the module. Afterconnecting with a first network, which could comprise a first wirelessWAN, wireless LAN, or wired connection, the module can receive a eUICCprofile for an eUICC in the module, where the eUICC profile includes anetwork module identity and a first key K. The first key K can be astandards-based key K used with wireless networks, and be equivalent toa pre-shared secret key K recorded in physical UICC, and may also besimilar or equivalent to an initial key K from the first exemplaryembodiment outlined above.

Continuing with this second exemplary embodiment, the module can use theeUICC, the network module identity, and the first key K to authenticatewith the wireless network. The authentication could comprise stepsestablished in wireless networking standards including sending a networkmodule identity (which could be an IMSI or related identity), receivinga RAND value, inputting the RAND into the eUICC, receiving a RES valuefrom the eUICC (where the eUICC uses the first key K to calculate theRES), and sending the RES to the wireless network. After authenticatingwith the wireless network using the first key K, the module can send akey K module token to the wireless network. The key K module token cancomprise a number or a string for a module network operator associatedwith the wireless network to utilize in a key derivation function. Datafor the authentication and related steps in this second embodiment canbe communicated between a module and a set of servers, where the set ofservers are associated with the wireless network and mobile networkoperator. The wireless network can comprise the radio access portion orsegment for the mobile network operator.

Continuing with this second embodiment, after authenticating with thewireless network using the first key K, the module can receive a set ofcryptographic parameters. The module can use the received set ofcryptographic parameters and a key derivation function in order toderive a second key K. A server associated with the mobile networkoperator can use the received key K module token, the set ofcryptographic parameters, and the key derivation function in order toderive the same second key K. The second key K derived by the module canbe recorded in the eUICC profile for the wireless network. The modulecan disconnect from the wireless network after attaching using the firstkey K, and then reconnect using the second key K which has now beenmutually derived by both the module and the mobile network operator. Themodule can reconnect using the eUICC, the received eUICC profile, andeither (i) the network module identity used with the first key K, or(ii) a second network module identity sent or received by the moduleafter connecting with the first key K. In this manner, a module canchange the key K used to authenticate and cipher/decipher data with awireless network from a first key K to a second key K. This can increaseflexibility of the system and reduce costs of physically distributing anew UICC to the module (or electronically sending new eUICC profiles) inorder to change a key K. Also note that the second key K does not needto be transmitted, even in an encrypted form through third parties suchas an eUICC subscription manager, and thus the security of a systemusing an eUICC can be increased as well.

A third exemplary embodiment can comprise a method for a module tosecurely and efficiently send sensor data to a server. The module caninclude a sensor for automatically collecting data regarding a monitoredunit. The module can comprise a wireless module that connects to awireless network, including a wireless WAN such as a public land mobilenetwork (PLMN). The module and the network can use standards thatinclude Internet Protocol (IP) at the network and transport layers ofthe open systems interconnection (OSI) stack. The module can record aninitial module private key and a module identity in a non-volatilememory, and the initial module private key and module identity could berecorded by a module manufacturer, or the module identity could berecorded by a module manufacturer and a distributor or end user couldrecord the initial module private key. An eUICC subscription managercould also provide the initial module private key. The modulemanufacturer, distributor, mobile network operator, and/or moduleprovider could operate as an eUICC subscription manager. Upon connectingwith a first network, the module can receive a set of cryptographicparameters and a profile for an eUICC from the eUICC subscriptionmanager, and the module can decrypt the profile using the initial moduleprivate key.

Continuing with this third exemplary embodiment, the module can derive amodule private key and a module public key using the set ofcryptographic parameters and a set of cryptographic algorithms. Themodule can select the received eUICC profile, activate the profile, andauthenticate and connect with a wireless network using the eUICCprofile. The module can send a message with the derived module publickey and the module identity to a server and the module can authenticatethe message using the initial module private key. A server could recordor have access to an initial module public key associated with theinitial module private key, and the server can use the initial modulepublic key to authenticate the message sent by the module. In thismanner of a module using the initial module private key and the serverusing the initial module public key, the module can authoritatively sendthe derived module public key, such that a fraudulent or otherwiseunauthorized module could not feasibly submit a public key for themodule with the module identity. After sending and authenticating thederived module public key, the module can send a sensor measurement witha module identity in a message to the server, and the message couldcontain a module encrypted data. The module can use the derived moduleprivate key to encrypt the module encrypted data. The server can use thereceived, authenticated module public key to decrypt the moduleencrypted data. The server can record or forward the sensor data, andthe module can repeat the process of collecting sensor data and usingthe derived module private key to send the sensor data.

In another embodiment, the module may be deployed within a wirelessnetwork such as, but not limited to, a 4G LTE network, a LTE Advancednetwork, or a WiFi network, and the module may comprise a wirelessmodule. After being installed next to a monitored unit, the wirelessmodule can (i) wake from a sleep or dormant state, (ii) utilize a sensorto collect data associated with a monitored unit, (iii) connect to thewireless network using Internet Protocol standards, and (iv) send thesensor data to a server. During an active state, the module can use aUDP IP:port number to both send a message to the server and receive aresponse to the server. The message as a UDP datagram can be a UDP Litedatagram and with a checksum only applied to the packet header. A UDPLite datagram with sensor data can include channel coding for the bodyof the datagram to mitigate the effect of bit errors. In thisembodiment, the wireless network can preferably support the UDP Liteprotocol.

In exemplary embodiments, a module can use a first module private keyand a server can use a first module public key to establishcommunication between the two nodes. The server can belong to a mobilenetwork operator and be associated with a wireless network. The servercan securely send the module a set of cryptographic parameters, wherethe set of cryptographic parameters includes values to define anequation for an elliptic curve. The values could comprise constants andvariables such that the module can calculate an elliptic curve, and theelliptic curve can be different than standard, published curves. The setof cryptographic parameters could be sent from the server to the modulein a server encrypted data, where the server encrypted data is decryptedby the module using any of (i) the first module private key, (ii) asymmetric key, and (iii) a shared secret key. The module can use the setof cryptographic parameters, a random number generator, and a key pairgeneration algorithm within a set of cryptographic algorithms in orderto generate a new, second module key pair, which could comprise a secondmodule public key and a second module private key. The module cansecurely and/or authoritatively send the second module public key to theserver, where the steps to implement security for sending the secondmodule public key can include using of the first module public keyand/or the shared secret key.

In another embodiment, a module with a module identity can derive itsown public and private keys after distribution of the module using afirst set of cryptographic parameters. A module can send a message thatincludes a module identity, where the module identity can be verifiedusing at least one of a module digital signature and a shared secretkey. A set of servers can send the module with the module identity asecond set of cryptographic parameters, which can be different than thefirst set of cryptographic parameters. Over time, the module can use atleast a subset of the second set of cryptographic parameters to derivemultiple pairs of module public and private keys. Over time, the modulecan (i) send a series of module public keys with the module identity and(ii) use a previous module public key in the series to verify and/orauthenticate a message with a module public key sent by the module tothe server.

In exemplary embodiments, the module can use a shared secret algorithmin order to derive a shared secret key without sending or receiving theshared secret key. A set of component parameters and an algorithm tokencan also be input into the shared secret algorithm. A server couldrecord the same component parameters, the same shared secret algorithm,and also receive the algorithm token from the module. The server canderive the same shared secret key as the module. The module and theserver can then use the same shared secret key as a symmetric key forsymmetric ciphering algorithms, for authentication where both the moduleand a server mutually authenticate using a message digest and the sharedsecret key.

These as well as other aspects and advantages will become apparent tothose of ordinary skill in the art by reading the following detaileddescription, with reference where appropriate to the accompanyingdrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

Various exemplary embodiments are described herein with reference to thefollowing drawings, wherein like numerals denote like entities.

FIG. 1a is a graphical illustration of an exemplary system, where aserver and a module connect using a wireless network, in accordance withexemplary embodiments;

FIG. 1b is a graphical illustration of hardware, firmware, and softwarecomponents for a module, in accordance with exemplary embodiments;

FIG. 1c is a graphical illustration of components within a module, inaccordance with exemplary embodiments;

FIG. 1d is a graphical illustration of components in a set ofcryptographic algorithms, in accordance with exemplary embodiments;

FIG. 1e is a graphical illustration of a set of components for a moduleand a set of component parameters, in accordance with exemplaryembodiments;

FIG. 1f is a graphical illustration for deriving a shared secret keyusing a shared secret algorithm, an algorithm token, and componentparameters, in accordance with exemplary embodiments;

FIG. 1g is a graphical illustration for ciphering and decipheringplaintext using a secret ciphering algorithm with input of ciphertextand a key, in accordance with exemplary embodiments;

FIG. 1h is a graphical illustration for deriving a shared secret key andan encrypted module identity, in accordance with exemplary embodiments;

FIG. 1i is a graphical illustration of an exemplary system, where amodule and a server exchange a set of cryptographic parameters and asubset of the set of cryptographic parameters, in accordance withexemplary embodiments;

FIG. 1j is an illustration of a certificate that includes a PKI publickey, where the key comprises an elliptic curve cryptography (ECC) key,in accordance with exemplary embodiments;

FIG. 1k is a graphical illustration of hardware, firmware, and softwarecomponents for a server, in accordance with exemplary embodiments;

FIG. 1m is a graphical illustration of components within a server, inaccordance with exemplary embodiments;

FIG. 2 is a graphical illustration of an exemplary system, where amodule sends a message to a server, and where the module receives aresponse to the message, in accordance with exemplary embodiments;

FIG. 3a is a flow chart illustrating exemplary steps for a module tosend sensor data to a server, in accordance with exemplary embodiments;

FIG. 3b is a graphical illustration of components within a receivedprofile and an activated profile for an embedded universal integratedcircuit card (eUICC), in accordance with exemplary embodiments;

FIG. 4 a is a flow chart illustrating exemplary steps for a module toprocess a message, including encrypting sensor data and sending adigital signature, in accordance with exemplary embodiments;

FIG. 5a a is a flow chart illustrating exemplary steps for a module toprocess a response from the server, including verifying a server'sidentity and decrypting instructions, in accordance with exemplaryembodiments;

FIG. 5b is a flow chart illustrating exemplary steps for a module tocommunicate with a server, including the module deriving public andprivate keys, in accordance with exemplary embodiments;

FIG. 6 is a simplified message flow diagram illustrating an exemplarymessage sent by a module, and an exemplary response received by themodule, in accordance with exemplary embodiments;

FIG. 7 is a flow chart illustrating exemplary steps for a module toderive a series of public keys and private keys, including sending andauthenticating the derived public keys, in accordance with exemplaryembodiments;

FIG. 8 is a simplified message flow diagram illustrating an exemplarymessage sent by a module, wherein the message includes a derived modulepublic key, in accordance with exemplary embodiments;

FIG. 9a is a flow chart illustrating exemplary steps for a module to usea shared secret key to authenticate with a server, in accordance withexemplary embodiments;

FIG. 9b is a flow chart illustrating exemplary steps for a module toderive a shared secret key K using a derived module PKI key, inaccordance with exemplary embodiments;

FIG. 10 is a simplified message flow diagram illustrating an exemplarysystem with exemplary data transferred between a module and a set ofservers, in accordance with exemplary embodiments;

FIG. 11 is a graphical illustration for a module and a network tomutually derive a shared secret key K, in accordance with exemplaryembodiments.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS OF THE INVENTION

FIG. 1a

FIG. 1a is a graphical illustration of an exemplary system, where aserver and a module connect over a wireless network, in accordance withexemplary embodiments. The system 100 includes a module 101 operatingwithin a wireless network 102. System 100 can also include a moduleprovider 109, an IP Network 107, and a mobile network operator 108, acertificate authority 118, and a monitored unit 119. Mobile networkoperator (MNO) 108 can include a server 105. For embodiments where theMNO 108 uses 4G LTE and LTE Advanced networks, server 105 could comprisea home subscriber server (HSS). Server 105 could be a server withrelated functionality for a MNO 108 that uses different wireless networkstandards than those based on 4G LTE. System 100 is illustrated withoutspecific packet transmissions between module 101 and mobile networkoperator 108. Examples of the communications and messages pertaining tothe present invention will be illustrated in later Figures. Ascontemplated herein, machine-to-machine communications may comprisecommunication between a module 101 and a server 105, such that data canbe transferred between the two with minimal manual intervention,although manual intervention can be required to set up system 100 andany occasional manual maintenance required. As contemplated herein,machine-to-machine communications may also be referred to as “theInternet of things” (IoT). Also note that module 101 may comprise awireless module, such that module 101 can communicate with wirelessnetwork 102 using a radio and an antenna. A wireless or a wiredconfiguration for module 101 can be utilized in the present invention.

If module 101 operates as a wireless module, module 101 and wirelessnetwork 102 can communicate using a base station 103. Module 101 andwireless network 102 can utilize a variety of wireless technologies tocommunicate, including WiFi, WiMax, a 2nd generation wireless wide areanetwork (WAN) technology such as, but not limited to, General PacketRadio Services (GPRS) or Enhanced Data rates for GSM Evolution (EDGE),3rd Generation Partnership Project (3GPP) technology such as, but notlimited to, 3G, 4G LTE, or 4G LTE Advanced, and other examples exist aswell. A wired module 101 can connect to the IP Network 107 via a wiredconnection such as, but not limited to, an Ethernet, a fiber optic, or aUniversal Serial Bus (USB) connection (not shown).

Generally, the communication techniques described herein can beindependent of the network technologies utilized at the physical anddata-link layers, so long as the underlying network provides access tothe IP Network 107 and supports Internet Protocols (IP). The IP Network107 can be an IPv4 or an IPv6 packet-switched based network thatutilizes standards derived from the Internet Engineering Task Force,such as, but not limited to, RFC 786 (User Datagram Protocol), RFC 793(Transmission Control Protocol), and related protocols. The IP Network107 can be the public Internet comprising globally routable IPaddresses, or a private network that utilizes private IP addresses. IPNetwork 107 as illustrated in FIG. 1a could comprise the globallyroutable public Internet, or IP Network 107 could also be a privateInternet that is (i) not globally routable and (ii) only accessible toauthorized modules and servers. As one example of a private IP Network107, IP Network 107 could use private IP addresses for nodes on thenetwork, and in this case IP Network 107 could be referred to as anintranet or private network. Alternatively, IP Network 107 could be aprivate network layered on top of the publicly routable Internet viasecured and encrypted connections. The specific numbers for IP addressesand port numbers shown in FIG. 1a and other figures are illustrative andany valid IP address or port number can be used, including an IPv4 andan IPv6 address. Server 105 within mobile network operator 108 cancommunicate with the module 101 using IP network 107, where IP network107 can comprise a private network that utilizes Internet Protocolstandards. Module 101 can access the public Internet afterauthenticating with the server 105 associated with the MNO 108.

When operating in a wireless network configuration, module 101 canaccess the IP Network 107 via the wireless network 102. In the wirelessnetwork configuration, module 101 can be a wireless handset, a cellularphone, a smartphone, a tablet computer, a laptop, a computer with aradio, a tracking device, or a circuit board with a radio that accesseswireless network 102. Examples of wireless modules that utilize awireless WAN such as, but not limited to, 2G and 3G networkingtechnologies include the Motorola® G24-1 and Huawei® MC323. Examplemanufacturers of wireless modules in 2012 include Sierra Wireless® andTelit®. Example leading manufacturers of mobile phones in 2013 includeApple® and Samsung®. In a wired configuration (not shown), module 101can be a computer, security camera, security monitoring device,networked controller, etc. A more detailed depiction of exemplarycomponents of a module 101 is included in FIG. 1b and FIG. 1c below.Module 101 could also comprise a “point of presence” payment terminal,such that a sensor 101 f associated with module 101 could collectpayment information such as, but not limited to, an account number froma credit card or similar payment card. Module 101 could communicate withthe payment card via a magnetic reader or near-field wirelesscommunications, and in this case the magnetic reader or antenna fornear-field communications can function as a sensor. Module 101 couldalso operate as a “smartcard” such that an end user presents module 101to merchants for payments.

Wireless network 102 may comprise either a wireless local area network(LAN) or a wireless WAN such as a public land mobile network (PLMN).Examples for technologies used in wireless LANs include an 802.11 WLAN,Bluetooth, or Zigbee among other possibilities. Module 101 operating inwireless mode could communicate with a base station 103 of a wirelessnetwork 102 using a radio and an antenna. Wireless network 102 couldoperate as a Mode II device according to FCC Memorandum Opinion andOrder (FC-12-36) and related white space regulation documents. If module101 supports IEEE 802.15.4, then wireless network 102 could be a Zigbeenetwork, an ISA100.11a standards-based network, or a 6LoWPAN network asdescribed by IETF RFC 4944. Other possibilities exist as well for thewireless technology utilized by a wireless network 102 and module 101,operating in a wireless mode, without departing from the scope of thepresent invention.

Module 101 can collect data regarding a monitored unit 119 andperiodically report status to a mobile network operator 108 or a server105. Examples of a monitored unit 119 can include a vending machine, analarm system, an automobile or truck, a standard 40-foot or 20-footshipping container, or industrial equipment such as, but not limited to,a transformer on an electrical grid or elevator in a building.Additional examples of a monitored unit 119 include can also include apallet for shipping or receiving goods, an individual box ofpharmaceuticals, a health monitoring device attached to a person suchas, but not limited to, a pacemaker or glucose monitor, and a gate ordoor for opening and closing. Other examples exist as well withoutdeparting from the scope of the present invention. Module 101 canutilize a sensor to measure and collect data regarding a parameter ofmonitored unit 119 such as, but not limited to, temperature, physicallocation potentially including geographical coordinates from a GlobalPositioning System (GPS) receiver, radiation, humidity, surroundinglight levels, surrounding RF signals, weight, vibration and/or shock,voltage, current, and/or similar measurements.

As illustrated in FIG. 1a , wireless network 102 may include a wirelessnetwork firewall 104 and mobile network operator 108 may include aserver network firewall 124. These firewalls may be used to securecommunication at the data link, network, transport, and/or applicationlayers of communications using the IP Network 107. Firewalls 104 and 124could perform network address translation (NAT) routing or operate assymmetric firewalls, and/or selectively filter packets received throughIP Network 107 in order to secure system 100. The firewall functionalityof firewalls 104 and 124 could be of many possible types, including asymmetric firewall, a network-layer firewall that filters inboundpackets according to pre-determined rules, an application-layerfirewall, or a NAT router, as examples. Firewalls 104 and 124 could alsoimplement an IPSec tunnel between the two firewalls. Although a singlefirewall 104 and 124 is illustrated in wireless network 102 (or a wirednetwork 102 or simply “network 102”) and with mobile network operator108, respectively, firewall 104 and 124 may each comprise multiplefirewalls that operate in conjunction and the combined operation may beconsidered a single firewall 104 and 124, respectively.

According to a preferred exemplary embodiment, module 101 may preferablyrecord a module private key 112. As described in additional figuresbelow, module 112 can generate a key pair comprising a module privatekey 112 and a module public key 111, where module private key 112resides within module 101 and may not be shared or transmitted to otherparties. Alternatively, the present invention also contemplates thatmodule 101 does not derive its own module private key 112, and rathermodule private key 112 can be securely loaded or transmitted to module101, and in this case the loaded module private key 112 can comprise aninitial module private key 112 b. Module 101 may also be associated witha module provider 109. Module provider 109 could be a manufacturer ordistributor of module 101, or may also be the company that installs andservices module 101 or associates module 101 with monitored unit 119.Module provider 109 can record a module public key 111 and a certificate122 (illustrated below in FIG. 1j ) for module 101. Module public key111 may be associated with a module public key identity 111 a, whichcould be an identifier of module public key 111.

Either module provider 109 or mobile network operator 108 could functionas a eUICC subscription manager 164, where an eUICC subscription manager164 can manage the recording and secure distribution of eUICC profilesto a module 101. Other entities could operate as an eUICC subscriptionmanager 164 as well. An eUICC subscription manager is described in ETSITS 103 383 v12.1, entitled “Smart Cards; Embedded UICC; RequirementsSpecification,” which is herein incorporated by reference in itsentirety. An eUICC subscription manager 164 can also use a server 105and record private keys and public keys for the server/subscriptionmanager operation. In embodiments, eUICC subscription manager 164 canuse a module public key 111 to cipher an eUICC profile (such as, but notlimited to, a received eUICC profile 311 depicted and described inconnection with FIG. 3b below), such that only module 101 with modulepublic key 111 could reasonably decipher the eUICC profile. In thismanner, the eUICC profile 311 can remain reasonably secured. The eUICCsubscription manager 164 can use either symmetric ciphering 141 b orasymmetric ciphering 141 a to encrypt the eUICC profile. The modulepublic key 111 used by an eUICC subscription manager 164 can comprise aninitial module public key 111 b, where the initial module public key 111b can be derived outside module 101 and loaded into module 101. Or, theeUICC subscription manager 164 can use a module public key 111 derivedby the module 101 (such that derived module public key 111 has beentransferred to the eUICC subscription manager 164 in a secure andreliably manner).

In embodiments, a module 101 may utilize multiple module public keys 111over the lifetime of module 101 (including multiple corresponding moduleprivate keys 112), and module public key identity 111 a can be used toselect and/or identify the correct module public key 111. Module publickey identity 111 a could be a string or sequence number uniquelyassociated with module public key 111 for a given module 101 (i.e.module public key identity 111 a does not need to be globally unique).As illustrated in FIG. 1a , module public key identity 111 a maypreferably not be included in the string or number comprising modulepublic key 111, but rather associated with the string or numbercomprising module public key 111, and in this case the two together(module public key identity 111 a and the string or number for modulepublic key 111) can refer to module public key 111 as contemplatedherein. In addition, module 101 can record an initial module private key112 b and an initial module public key 111 b. These initial keys can bedifferent from a module private key 112 and a module public key 111since the “initial” keys can be derived from an outside source andloaded into a module 101, and module private key 112 and module publickey 111 can be derived by module 101.

The module public key 111 can optionally be signed by a certificateauthority 118 in order to confirm the identity of module 101 and/or theidentity of module provider 109. Module provider 109 can also functionas a certificate authority 118 for module 101. Thus, the validity ofmodule public key 111, possibly recorded in a certificate 122(illustrated in FIG. 1j ) could be checked with module provider 109, andthe wireless module provider's 109 provider public key 120 could bechecked against certificate authority 118. Other configurations forsigning public keys and using certificates with public keys are possibleas well without departing from the scope of the present invention.

Public keys and private keys as contemplated in the present invention,including module public key 111 and module private key 112 andadditional keys described herein, may leverage established standards forPublic Key Infrastructure (PKI). Public keys may be formatted accordingto the X.509 series of standards, such as, but not limited to, X.509 v3certificates, and subsequent or future versions, and these keys may beconsidered cryptographic keys. The keys can support standards such as,but not limited to, the International Organization for Standardization(ISO) ISO/IEC 9594 series of standards (herein incorporated byreference) and the Internet Engineering Task Force (IETF) RFC 5280titled “Internet X.509 Public Key Infrastructure Certificate andCertificate Revocation List (CRL) Profile” (herein incorporated byreference), including future updates to these standards.

Module public key 111 and module private key 112, as well as the otherprivate and public keys described within the present invention, could begenerated using standard software tools such as, but not limited to,Openssl, and other tools to generate public and private keys exist aswell. Public and private keys as contemplated herein could be recordedin a file such as, but not limited to, a *.pem file (Privacy-enhancedElectronic Mail), a file formatted according to Basic Encoding Rules(BER), Canonical Encoding Rules (CER), or Distinguished Encoding Rules(DER), or as text or binary file. Other formats for public and privatekeys may be utilized as well, including proprietary formats, withoutdeparting from the scope of the present invention. As contemplatedherein, a key may also comprise a public key, a private key, or a sharedkey including a secret shared key. A public key as contemplated hereinmay also be considered a certificate or a public certificate. A privatekey as contemplated herein may also be considered a secret key.

Server 105 can include a module database 105 k, and server 105 will alsobe described in additional detail below in FIG. 1k and FIG. 1m . Server105 can operate as an HSS in 4G LTE networks, including recordingnetwork access credentials 314 (described in FIG. 3b below) for aplurality of modules 101 in a module database 105 k. Server 105 could bea plurality of individual computers operating in a coordinated mannerthrough a network in order to function as a server 105. Server 105 caninclude a server public key 114 and a server private key 105 c. Mobilenetwork operator 108 can also include a network private key 165 a and anetwork public key 165 b. Additional details regarding the variouspublic and private keys illustrated in FIG. 1a will be provided inFigures below.

Other configurations besides the one illustrated in FIG. 1a are possibleas well. Wireless network 102 could be included in mobile networkoperator 108. In many common commercial relationships for the operationof mobile phone service in the United States in 2013, wireless network102 could represent a portion of the radio access network used by amobile network operator 108. MNO 108 could outsource the operation andmaintenance of a radio access network, such as a wireless network 102,to 3^(rd) parties. In this configuration, wireless network 102 couldrepresent a network operated by a first company specializing in theoperation of radio towers and BTS equipment. This first company could becontracted with the mobile network operator 108 in order to supportmobile phone service or data services to modules 101.

In addition, server 105 could reside within wireless network 102 in adata center managed by wireless network 102. Wireless network 102 couldalso operate as a module provider 109. Although a single module 101,server 105, wireless network 102, and mobile network operator 108 areillustrated in FIG. 1a , system 100 could comprise a plurality of eachof these elements. Module 101 could also record sensor data pertainingto a plurality of monitored units 119. Module 101 could be mobile, suchas physically attached to a truck or a pallet, and module 101 couldconnect to a series of different wireless networks 102 or base stations103 as module 101 moves geographically. Other configurations arepossible as well for the elements illustrated in FIG. 1a withoutdeparting from the scope of the present invention.

FIG. 1b

FIG. 1b is a graphical illustration of hardware, firmware, and softwarecomponents for a module, in accordance with exemplary embodiments. FIG.1b is illustrated to include many components that can be common within amodule 101, and module 101 may also operate in a wireless configurationin order to connect with a wireless network 102. Module 101 may consistof multiple components in order to collect sensor data or control anactuator associated with a monitored unit 119. In a wirelessconfiguration, the physical interface 101 a of module 101 may supportradio-frequency (RF) communications with networks including a wirelessnetwork 102 via standards such as, but not limited to, GSM, UMTS, mobileWiMax, CDMA, LTE, LTE Advanced, and/or other mobile-networktechnologies. In a wireless configuration, the physical interface 101 amay also provide connectivity to local networks such as, but not limitedto, 802.11 WLAN, Bluetooth, or Zigbee among other possibilities. In awireless configuration, module 101 could use a physical interface 101 abe connected with both a wireless WAN and wireless LAN simultaneously.In a wired configuration, the physical interface 101 a can provideconnectivity to a wired network such as, but not limited to, through anEthernet connection or USB connection.

The physical interface 101 a can include associated hardware to providethe connections such as, but not limited to, radio-frequency (RF)chipsets, a power amplifier, an antenna, cable connectors, etc., andadditional exemplary details regarding these components are describedbelow in FIG. 1c . Device driver 101 g can communicate with the physicalinterfaces 101 a, providing hardware access to higher-level functions onmodule 101. Device drivers 101 g may also be embedded into hardware orcombined with the physical interfaces. Module 101 may preferably includean operating system 101 h to manage device drivers 101 g and hardwareresources within module 101. The operating systems described herein canalso manage other resources such as, but not limited to, memory and maysupport multiple software programs operating on module 101 or server105, respectively, at the same time. The operating system 101 h caninclude Internet protocol stacks such as, but not limited to, a UserDatagram Protocol (UDP) stack, Transmission Control Protocol (TCP)stack, a domain name system (DNS) stack, etc., and the operating system101 h may include timers and schedulers for managing the access ofsoftware to hardware resources. The operating system shown of 101 h canbe appropriate for a low-power device with limited memory and CPUresources (compared to a server 105). An example operating system 101 hfor module 101 includes Linux, Android® from Google®, Windows® Mobile,or Open AT® from Sierra Wireless®. Additional example operating systems101 h for module 101 include eCos, uC/OS, LiteOs, and Contiki, and otherpossibilities exist as well without departing from the scope of thepresent invention.

A module program 101 i may be an application programmed in a languagesuch as, but not limited to, C, C++, Java, and/or Python, and couldprovide functionality to support M2M applications such as, but notlimited to, remote monitoring of sensors and remote activation ofactuators. Module program 101 i could also be a software routine,subroutine, linked library, or software module, according to onepreferred embodiment. As contemplated herein, a module program 101 i maybe an application operating within a smartphone, such as, but notlimited to, an iPhone® or Android®-based smartphone, and in this casemodule 101 could comprise the smartphone. The application functioning asa module program 101 i could be downloaded from an “app store”associated with the smartphone. Module program 101 i can include datareporting steps 101 x, which can provide the functionality or CPU 101 binstructions for collecting sensor data, sending messages to server 105,and receiving responses from server 105, as described in the presentinvention.

Many of the logical steps for operation of module 101 can be performedin software and hardware by various combinations of sensor 101 f,actuator 101 y, physical interface 101 a, device driver 101 g, operatingsystem 101 h, module program 101 i, and data reporting steps 101 x. Whenmodule 101 is described herein as performing various actions such asacquiring an IP address, connecting to the wireless network, monitoringa port, transmitting a packet, sending a message, receiving a response,or encrypting or signing data, specifying herein that module 101performs an action can refer to software, hardware, and/or firmwareoperating within module 101 illustrated in FIG. 1b or FIG. 1c performingthe action. Note that module 101 may also optionally include userinterface 101 j which may include one or more devices for receivinginputs and/or one or more devices for conveying outputs. User interfacesare known in the art and generally are simple for modules such as, butnot limited to, a few LED lights or LCD display, and thus userinterfaces are not described in detail here. User interface 101 j couldcomprise a touch screen if module 101 operates as a smartphone or mobilephone. As illustrated in FIG. 1b , module 101 can optionally omit a userinterface 101 j, since no user input may be required for many M2Mapplications, although a user interface 101 j could be included withmodule 101.

Module 101 may be a computing device that includes computer componentsfor the purposes of collecting data from a sensor 101 f or triggering anaction by an actuator 101 y. Module 101 may include a central processingunit (CPU) 101 b, a random access memory (RAM) 101 e, and a system bus101 d that couples various system components including the random accessmemory 101 e to the processing unit 101 b. The system bus 101 d may beany of several types of bus structures including a memory bus or memorycontroller, a peripheral bus, and a local bus using any of a variety ofbus architectures including a data bus. Note that the computercomponents illustrated for the module 101 in FIG. 1b may be selected inorder to minimize power consumption and thereby maximize battery life,if module 101 includes a battery and is not attached to external power.In addition, the computer components illustrated for the module 101 inFIG. 1b may also be selected in order to optimize the system for bothlong periods of sleep or idle states relative to active communicationsand also may be optimized for predominantly uplink (i.e. device tonetwork) communications with small packets or messages. The computercomponents illustrated for the module 101 in FIG. 1b may also begeneral-purpose computing components, and specialized components are notrequired in order to utilize many of the embodiments contemplatedherein.

Module 101 may include a read-only memory (ROM) 101 c which can containa boot loader program. Although ROM 101 c is illustrated as “read-onlymemory”, ROM 101 c could comprise long-term memory storage chipsets orphysical units that are designed for writing once and reading manytimes. As contemplated within the present invention, a read-only addresscould comprise a ROM 101 c memory address or another hardware addressfor read-only operations accessible via bus 101 d. Changing datarecorded in a ROM 101 c can require a technician have physical access tomodule 101, such as, but not limited to, removing a cover or part of anenclosure, where the technician can subsequently connect equipment to acircuit board in module 101, including replacing ROM 101 c. ROM 101 ccould also comprise a nonvolatile memory, such that data is storedwithin ROM 101 c even if no electrical power is provided to ROM 101 c.Although not illustrated in FIG. 1b , but illustrated in FIG. 1c below,module 101 could also include a flash memory 101 w. Module program 101i, data reporting steps 101 x, operating system 101 h, or device driver101 g could be stored in flash memory 101 w within module 101 when themodule is powered off. These components and/or instructions could bemoved from a flash memory 101 w (not shown in FIG. 1b but shown in FIG.1c ) into RAM 101 e when the module is powered on. Note that ROM 101 ccould be optionally omitted or included in a memory unit within CPU 101b (not shown).

Although the exemplary environment described herein employs ROM 101 cand RANI 101 e, it should be appreciated by those skilled in the artthat other types of computer readable media which can store data that isaccessible by a module 101, such as, but not limited to, memory cards,subscriber identity module (SIM) cards, local miniaturized hard disks,and the like, may also be used in the exemplary operating environmentwithout departing from the scope of the invention. The memory andassociated hardware illustrated in FIG. 1b provide nonvolatile storageof computer-executable instructions, data structures, program modules,module program 101 i, and other data for computer or module 101. Notethe module 101 may include a physical data connection at the physicalinterface 101 a such as, but not limited to, a miniaturized universalserial bus adapter 101 v (illustrated in FIG. 1c ), firewire, optical,or other another port. The computer executable instructions such as, butnot limited to, module program 101 i, data reporting steps 101 x,operating system 101 h, or device driver 101 g can be initially loadedinto memory such as, but not limited to, ROM 101 c or RAM 101 e throughthe physical interface 101 a before module 101 is given to an end user,shipped by a manufacturer to a distribution channel, or installed by atechnician. In addition, the computer executable instructions such as,but not limited to, module program 101 i, data reporting steps 101 x,operating system 101 h or device driver 101 g could be transferredwirelessly to module 101. In either case (wired or wireless transfer ofcomputer executable instructions), the computer executable instructionssuch as module program 101 i, data reporting steps 101 x, operatingsystem 101 h, or device driver 101 g could be stored remotely on a diskdrive, solid state drive, or optical disk (external drives not shown).

A number of program modules may be stored in RAM 101 e, ROM 101 c, orpossibly within CPU 101 b, including an operating system 101 h, devicedriver 101 g, an http client (not shown), a DNS client, and relatedsoftware. Further, the module program 101 i and/or data reporting steps101 x can perform the various actions described in the present inventionfor the module 101 through instructions the module program 101 i and/ordata reporting steps 101 x provide to the CPU 101 b. A user may entercommands and information into module 101 through an optional userinterface 101 j, such as a keypad, keyboard (possibly miniaturized for amobile phone form-factor), and a pointing device. Pointing devices mayinclude a trackball, an electronic pen, or a touch screen. A userinterface 101 j illustrated in FIG. 1b can also comprise the descriptionof a user interface 101 j within U.S. patent application Ser. No.14/039,401, filed Sep. 27, 2013 in the name of John Nix, which is hereinincorporated in its entirety.

The module 101, comprising a computer, may operate in a networkedenvironment using logical connections to one or more remote computers,such as the server 105 illustrated in FIG. 1a . Server 105 can alsofunction as a general purpose server to provide files, programs, diskstorage, remote memory, and other resources to module 101 usuallythrough a networked connection. Additional details regarding server 105are provided in FIG. 1k and FIG. 1m below. Additional remote computerswith which module 101 communicates may include another module 101 ormobile device, an M2M node within a capillary network, a personalcomputer, other servers, a client, a router, a network PC, a peerdevice, a base station 103, or other common network node. It will beappreciated that the network connections shown throughout the presentinvention are exemplary and other means of establishing a wireless orwired communications link may be used between mobile devices, computers,servers, corresponding nodes, and similar computers.

The module program 101 i and data reporting steps 101 x operating withinmodule 101 illustrated in FIG. 1b can provide computer executableinstructions to hardware such as CPU 101 b through a system bus 101 d inorder for a module 101 to (i) collect data from a sensor, (ii) changethe state of an actuator 101 y, and (iii) send or receive packets with aserver 105, thus allowing server 105 to remotely monitor or control amonitored unit 119. The module program 101 i and/or data reporting steps101 x can enable the module 101 to transmit or send data from sensor 101f or module 101 by recording data in memory such as RAM 101 e, where thedata can include sensor data, a destination IP:port number, a packet orpacket header value, an encryption or ciphering algorithm and key, adigital signature algorithm and key, etc. The data recorded in RAM 101 ecan be subsequently read by the operating system 101 h or the devicedriver 101 g. The operating system 101 h or the device driver 101 g canwrite the data to a physical interface 101 a using a system bus 101 d inorder to use a physical interface 101 a to send data to a server 105using the IP Network 107. Alternatively, the module program 101 i and/ordata reporting steps 101 x can write the data directly to the physicalinterface 101 a using the system bus 101 d.

The module program 101 i and/or data reporting steps 101 x, or operatingsystem 101 h can include steps to process the data recorded in memorysuch as, but not limited to, encrypting data, selecting a destinationaddress, or encoding sensor data acquired by (i) a sensor 101 f or (ii)through a physical interface 101 a such as, but not limited to, athermocouple, shock or vibration sensor, light sensor, or globalpositioning system (GPS) receiver, etc. The module 101 can use thephysical interface 101 a such as, but not limited to, a radio totransmit or send the data from a sensor to a base station 103. For thoseskilled in the art, other steps are possible as well for a moduleprogram 101 i or operating system 101 h to collect data from a sensor101 f and send the data in a packet without departing from the scope ofthe present invention.

Conversely, in order for module 101 to receive a packet or response fromserver 105, the physical interface 101 a can use a radio to receive datafrom a base station 103. The received data can include information froma server 105 and may comprise a datagram, a source IP:port number, apacket or header value, an instruction for module 101, anacknowledgement to a packet that module 101 sent, a digital signature,and/or encrypted data. The operating system 101 h or device driver 101 gcan use a system bus 101 d and CPU 101 b to record the received data inmemory such as RAM 101 e, and the module program 101 i or operatingsystem 101 h may access the memory in order to process the received dataand determine the next step for the module 101 after receiving the data.The steps within this paragraph may also describe the steps a moduleprogram 101 i or data reporting steps 101 x can perform in order toreceive a packet or a response 209 below. For those skilled in the art,other steps are possible as well for a module program 101 i, datareporting steps 101 x, or module 101 to receive a packet or responsefrom a server 105 within the scope of the present invention.

Moreover, those skilled in the art will appreciate that the presentinvention may be implemented in other computer system configurations,including hand-held devices, netbooks, portable computers,multiprocessor systems, microprocessor based or programmable consumerelectronics, network personal computers, minicomputers, mainframecomputers, and the like. The invention may also be practiced indistributed computing environments, where tasks are performed by remoteprocessing devices that are linked through a communications network. Ina distributed computing environment, program modules may be located inboth local and remote memory storage devices. In addition, the terms“mobile node”, “mobile station”, “mobile device”, “M2M module”, “M2Mdevice”, “networked sensor”, or “industrial controller” can be used torefer to module 101 or its functional capabilities of (i) collectingsensor data regarding a monitored unit 119, (ii) changing state of anactuator 101 y associated with monitored unit 119, and/or (iii)communicating the data associated with a monitored unit 119 with awireless network 102. The function of module 101 and sensor 101 f couldbe integrated, and in this case module 101 could also be referred to asa “sensor”, “intelligent sensor”, or “networked sensor”. Further, theterm “module” or “monitoring device” can be used to refer to the moduleprogram 101 i when module program 101 i provides functional capabilitiessuch as reporting data from a sensor 101 f to a server 105 or receivinginstructions for an actuator 101 y from a server 105. Otherpossibilities exist as well for the configuration or combination ofcomponents illustrated in FIG. 1b without departing from the scope ofthe present invention.

FIG. 1c

FIG. 1c is a graphical illustration of components within a module, inaccordance with exemplary embodiments. FIG. 1c is illustrated to show acombination of components useful for leveraging the efficient and securecommunication techniques described in the present invention. In additionto the components illustrated in FIG. 1b above, module 101 can include aan eUICC 163, a battery 101 k, a server public key 114, a wirelessmodule private key 112, a connection to an actuator 101 y, a USBinterface 101 v, a CPU wake controller 101 u, a flash memory 101 w, asymmetric key 127, a pre-shared secret key 129, a random numbergenerator 128, cryptographic algorithms 141, a radio 101 z, and othercomponents illustrated in FIG. 1c . Not all of the componentsillustrated in FIG. 1c are required for many exemplary embodiments, andsome of the components illustrated in FIG. 1c may also be optionallyomitted in some exemplary embodiments.

The CPU 101 b can comprise a general purpose processor appropriate forthe low power consumption requirements of a module 101, and may alsofunction as a microcontroller. A CPU 101 b and a CPU wake controller 101u are depicted and described in connection with FIG. 1b of U.S. patentapplication Ser. No. 14/055,606, filed Oct. 16, 2013 in the name of JohnNix, entitled “Systems and Methods for ‘Machine-to-Machine’ (M2M)Communications Between Modules, Servers, and an Application using PublicKey Infrastructure (PKI),” which is hereby incorporated by reference inits entirety. Clock 160 can comprise a crystal oscillator generatingsine or square wave outputs at a frequency to drive a system bus 101 d,CPU 101 b, and RAM 101 e, in addition to other functionality. Inexemplary embodiments, clock 160 can comprise a temperature-compensatedcrystal oscillator (TCXO), a voltage-controlled crystal oscillator(VCXO), or a voltage-controlled temperature-compensated crystaloscillator (VCTCXO), and other possibilities exist as well. Clock 160could include circuits and logic to keep time while module 101 is bothin an active state and a dormant state.

An eUICC 163 within module 101 can comprise an embedded universalintegrated circuit card 163. An eUICC 163 can provide the equivalentfunctionality as physical UICC, where definitions for a physical UICCare included in ETSI TR 102 216 and ETSI TS 102 221 V11.0.0. An eUICC163 in FIG. 1c can support exemplary requirements for an eUICC outlinedin ETSI TS 103 383 v12.2, entitled “Smart Cards; Embedded UICC;Requirements Specification,” which is herein incorporated by referencein its entirety. An eUICC 163 as illustrated in FIG. 1c can beimplemented within module 101 in several different ways, including (i)as a module program 101 i recorded in a nonvolatile memory, such as, butnot limited to, either flash memory 101 w or ROM 101 c, (ii) firmwarewithin CPU 101 b or another specialized processing unit within module101, (iii) a physical UICC within module 101 that contains the eUICC163, or (iv) a specialized circuit within a surface mount package thatis soldered directly onto a circuit board of the module 101, includingan 8-lead small outline non-leaded (SON-8) package. For the embodimentwhere an eUICC 163 comprises a module program 101 i, the eUICC 163 couldbe loaded and installed within nonvolatile memory 101 w in module 101using the steps and procedures described for a module program 101 i inFIG. 1 b. Other possibilities exist as well for the physicalimplementation of an eUICC 163 within a module 101 without departingfrom the scope of the present invention. An eUICC 163 may also bereferred to as an “electronic UICC”, an “electronic SIM” (eSIM), or an“embedded SIM” (also eSIM).

For embodiments where an eUICC 163 can be loaded into a RAM 101 e orflash 101 w memory, a CPU 101 b could designate the RAM 101 e or flash101 w memory containing the instructions and data for an eUICC 163 to bea protected memory. When (i) loaded with appropriate data (such as, butnot limited to an activated eUICC profile 313 described in FIG. 3bbelow), and (ii) a profile for a MNO 108 is selected and activated, thenan eUICC 163 can provide the equivalent functionality of a physicalUICC. The eUICC 163, using an activated eUICC profile 313, can providethe module 101 with (i) network access credentials 314, and (ii) networkparameters 310 in order to connect with wireless network 102. The eUICC163, using an activated eUICC profile 313, can record a secret sharednetwork key K (described in FIGS. 9b and 11 below and related Figures)and also a network module identity 110 b (described in FIG. 3b below andrelated Figures). The eUICC 163 can support standard steps by module 101for network authentication contemplated in 3GPP TS 33.401 V12.9.0 andrelated standards, including inputting a RAND 912 (depicted anddescribed in FIG. 9b ) and outputting an RES 913 (also depicted anddescribed in FIG. 9b ).

According to an exemplary embodiment, an eUICC 163 can be recorded andoperate within a “eUICC supporting” physical universal integratedcircuit card (UICC) 166 within module 101. This “eUICC supporting”,physical UICC 166 can include a processing unit, RAM memory, ROM memory,EEPROM memory, a bus, and a physical interface in order to support aprofile activation 316 of multiple different received eUICC profiles 311(where profile activation 316 and profile 311 are in FIG. 3b below). Theprocessing unit, RAM memory, ROM memory, EEPROM memory, and bus in an“eUICC supporting” UICC 166 could comprise smaller versions with similaror equivalent functionality of the CPU 101 b, RAM 101 e, ROM 101 c,flash memory 101 w, and bus 101 d, respectively, depicted and describedin FIG. 1b below for a module 101. In other words, a module 101 couldinclude a connection and slot for a physical UICC card, and (i) amanufacturer, distributor, or end user could load an “eUICC supporting”UICC 166 into the slot, and (ii) the eUICC 163 could operate on thephysical UICC.

The physical form-factor for an “eUICC supporting” UICC 166 could beidentical to a UICC, and a difference between the two may not even beapparent upon visual inspection without special markings on the card.The physical form-factor for an “eUICC supporting” UICC 166 couldcomprise a “micro-SIM” or a “nano-SIM” as defined in ETSI TS 102 221V11.0.0, which is herein incorporated by reference. When the module 101detects a “eUICC supporting” UICC 166, the module 101 could sendreceived eUICC profiles 311 to the “eUICC supporting” UICC 166, and alsoselect, deselect, activate, and deactivate the different received eUICCprovides 311 recorded in the “eUICC supporting” UICC 166. When a module101 detects that a regular UICC (i.e. not an “eUICC supporting” UICC166) has been loaded into a slot for UICCs, the module 101 could accessthe UICC in a regular manner implemented by mobile phones and modulesfor connecting to existing wireless networks in 2013, such as LTE or 3Gnetworks.

In addition to recording a received profile 311 and an activated profile313, an eUICC 163 can record an initial module private key 112 b and anetwork public key 165 b. An eUICC 163 can also record a plurality ofreceived eUICC profiles 311. As illustrated in FIG. 3b below, thenetwork public key 165 b could be recorded in the received eUICC profile311, where different profiles 311 and different network public keys 165b can be associated with different wireless networks 102. The initialmodule private key 112 b can be associated with an initial module publickey 111 b, as illustrated in FIG. 1a above. An eUICC subscriptionmanager 164 could use the initial module public key 111 b to encrypt theeUICC profile 311, and a module 101 could use the initial module privatekey 112 b to decrypt the eUICC profile received from the subscriptionmanager 164. The eUICC subscription manager 164, assuming the eUICCsubscription manager 164 is associated with MNO 108, could sign theeUICC profile 311 using the network private key 165 a (such as creatinga server digital signature 506 as described in FIG. 5a below), andmodule 101 could verify the server digital signature 506 with thenetwork public key 165 b. The network public key 165 b could be recordedin either (i) the eUICC 163 directly, and/or (ii) within the profile311. In either case, the initial module private key 112 b, initialmodule public key 111 b, an network PKI keys 165 a and 165 b (asillustrated in FIG. 1a ) can be useful for module 101 to authoritativelyand securely receive eUICC profiles 311.

Sensor 101 f could be a device to collect environmental data or dataregarding a monitored unit 119. Sensor 101 f could collect data such as,but not limited to, temperature, humidity, pressure, visible lightlevels, radiation, shock and/or vibration, voltage, current, weight, pHlevels, orientation/motion, or the presence of specific chemicals.Sensor 101 f could also be a microphone. Sensor 101 f could be amagnetic strip reader for credit cards and similar cards, or an antennafor either near-field RF communications, such as, but not limited to,reading an RF identity tag. An antenna for a sensor 101 f could alsocollect longer-range RF signals, such as, but not limited to, readinglong-range radio frequency identity tags. Sensor 101 f could alsocollect biometric data such as, but not limited to, heart rate, glucoselevels, body temperature, or other health measurements and in this casemonitored unit 119 could be a person. The sensor 101 f can provide datato the CPU 101 b in the form of analog or digital data, which can becommunicated via a system bus 101 d or physical interface 101 a andother electrical interfaces are possible as well. A sensor measurementcan comprise the analog or digital data collected by CPU 101 b fromsensor 101 f. A sensor measurement can include processing of the analogor digital data input CPU 101 b by sensor 101 f, such as, but notlimited to, averaging over time, using mathematic formulas to convertthe raw data from sensor 101 f into a usable form. Module 101 may alsocollect sensor data or sensor values using a sensor 101 f and CPU 101 b,where the data or values are derived from electrical signals output by asensor 101 f. A sensor measurement can comprise the sensor data orsensor values. If module 101 comprises a “point of presence” paymentterminal, then a sensor measurement could comprise data read from apayment card.

As contemplated herein, the terms “sensor measurement” and “sensor data”can be used interchangeably, and can also be considered functionallyequivalent. Although a single sensor 101 f is shown in FIG. 1c , amodule 101 could include multiple sensors. Each of the multiple sensors101 f could include a sensor identity 151, which could comprise a numberor string to identify the sensor 101 f. A sensor 101 f could be externalto module 101, and also a plurality of sensors 101 f may be used andthey also can connect to module 101 when module 101 uses radio 101 z asa base station for a WiFi network. An exemplary embodiment where sensor101 f connects to module 101 using a radio 101 z is also depicted anddescribed in connection with FIG. 1e of U.S. patent application Ser. No.14/055,606, filed Oct. 16, 2013 in the name of John Nix, which is herebyincorporated by reference in its entirety.

Actuator 101 y could be a device to control a parameter or state for amonitored unit 119, such as, but not limited to, changing a voltage orcurrent, activating a switch or relay, turning on or off a microphone orspeaker, activating or deactivating a light, and other examples are wellknown in the art. Actuator 101 y could also be a speaker. Actuator 101 ycould be controlled by module 101 via a digital or analog output fromCPU 101 b, which could also be transmitted or sent via system bus 101 dor a physical interface 101 a. Although actuator 101 y is illustrated asexternal to wireless module 101 in FIG. 1c , actuator 101 y could alsobe internal to module 101, and module 101 could include multipleactuators 101 y. The use of multiple actuators 101 y each with anactuator identity 152 is also depicted and described in connection withFIG. 1e of U.S. patent application Ser. No. 14/055,606, filed Oct. 16,2013 in the name of John Nix, which is hereby incorporated by referencein its entirety. Sensors and actuators are well known to those ofordinary skill in the art, and thus are not described in additionaldetail herein.

Module 101 can include a Universal Serial Bus (USB) interface 101 v. Inaccordance with an exemplary embodiment, module 101 can comprise awireless module and include a radio 101 z. Note that the use of a radio101 z is not required for module 101, which could also obtain aconnection to the IP Network 107 via a wired line such as Ethernet.Although not illustrated, radio 101 z could include antennas forreception and transmission of RF signals, and even multiple antennascould be used. Although a single radio 101 z is illustrated in module101, module 101 could also contain multiple radios 101 z. Radio 101 zcan support wireless LAN standards such as, but not limited to, WiFi,Bluetooth, and Zigbee, or similar wireless LAN standards. Radio 101 zillustrated in FIG. 1c can comprise a radio 101 z depicted and describedin connection with FIG. 1d of U.S. patent application Ser. No.14/039,401, filed Sep. 27, 2013 in the name of John Nix, the contents ofwhich are herein incorporated in their entirety.

Note that module 101 may also operate as a base station in a wirelessLAN, such as, but not limited to, an 802.11 base station. When module101 operates a wireless LAN, radio 101 z can function as either aclient/node and/or a base station 103 to support communication fromother wireless nodes in physical proximity, such as, but not limited to,other nodes within an exemplary 50 meters. The other wireless nodescould comprise a sensor 101 f and/or actuator 101 y, and in this case asensor could be referred to as a “networked sensor” and an actuatorcould be referred to as a “networked actuator”. Radio 101 z functioningas a base station is depicted and described as a base station 103 isdepicted and described in connection with FIG. 1d of U.S. patentapplication Ser. No. 14/039,401, filed Sep. 27, 2013 in the name of JohnNix, the contents of which are herein incorporated in their entirety.

In accordance with exemplary embodiments, module 101 can store moduleprivate key 112, server public key 114, and module identity 110, and asymmetric key 127 in memory/RAM 101 e during operation, such as when CPU101 b is active and the module 101 is connected to a network such as awireless network 102 during data transmissions. Module private key 112preferably is recorded in nonvolatile memory such as, but not limitedto, flash memory 101 w, so that module 101 has access to its private key112 after the private key has been derived or loaded, including timeswhen a battery 101 k has been fully drained or removed from module 101(if module 101 does not utilize a persistent power source such asland-line power).

Symmetric key 127 can be a secure, shared private key for use withsymmetric encryption or symmetric ciphering algorithms 141 b (in FIG. 1gbelow). Symmetric key 127 can be derived by using module public key 111and/or server public key 114, possibly through the use of a keyderivation function 141 f (described in FIG. 1d below). Symmetric key127 can be used for both encryption and decryption with symmetriccryptographic algorithms 141 b described in FIG. 1d below, where ashared secret key can be used to encrypt/cipher and/or decrypt/decipher.Symmetric key 127 may also include an expiration time 133, such thatsymmetric key 127 may only be used by module 101 and/or server 105during a limited period of time, such symmetric key 127 remaining onlyvalid for a day, or a week, or during a session (where the sessioncomprises multiple messages and/or responses between a module 101 and aserver 105), etc. Module 101 can also derive symmetric key 127 accordingthe Elliptic Curve Integrated Encryption Scheme (ECIES) and/or ECDH 159,discussed in FIG. 1d below, using module public key 111, server publickey 114, and a random number 128 a from random number generator 128.ECIES could be included in cryptographic algorithms 141. A summary ofECIES shared key derivation is described the Wikipedia article“Integrated Encryption Scheme” from Sep. 18, 2013 (herein incorporatedby reference). Other possibilities for shared key derivation functionusing public keys are possible as well, including a Diffie-Hellman keyexchange. Using a derived symmetric key from the exemplary keyderivation function ECIES, module 101 and/or server 105 could derive asecond symmetric key 127 after the expiration time 133 of the firstsymmetric key 127 had transpired. As contemplated herein, a symmetrickey 127 can also comprise a session key, or the use of a “session key”with a symmetric ciphering algorithm 141 b can comprise a symmetric key127.

In an exemplary embodiment, a key derivation function 141 f using publickeys is not required to generate a shared symmetric key 127, andalternatively a shared symmetric key 127 could be generated by any ofmodule 101, server 105, module provider 109, mobile network operator108, or wireless network 102. If module 101 generates shared symmetrickey 127 for symmetric ciphering 141 b within a cryptographic algorithms141, then module 101 can send shared symmetric key 127 to server 105using an asymmetric ciphering depicted and described in connection withFIG. 4 below. In accordance with a preferred exemplary embodiment,module 101 preferably uses a random number generator 128 to generate arandom number 128 a (illustrated in FIG. 1d ) for input intocryptographic algorithms 141, and the seed 128 b in random numbergenerator 128 could utilize data from a sensor 101 f in order togenerate a random number 128 a with high entropy in the creation ofsymmetric key 127. Random number generator 128 and random number 128 aare also depicted and described in connection with FIG. 1d of U.S.patent application Ser. No. 14/039,401, filed Sep. 27, 2013 in the nameof John Nix, the contents of which are herein incorporated in theirentirety.

Module identity 110 is preferably a unique identifier of module 101, andcould comprise a number or string such as, but not limited to, a serialnumber, an international mobile subscriber identity number (IMSI),international mobile equipment identity (IMEI), or an Ethernet mediaaccess control (MAC) address. According to an exemplary embodiment,module identity 110 can also comprise a serial number or string that iswritten into hardware of module 101 upon manufacturing or distributionof module 101 (also depicted and described in connection with a step 511in FIG. 5b below). In this case, module identity 110 could be recordedin a read only memory 101 c, where read only memory 101 c could not beeasily erased or otherwise tampered with. Read only memory 101 c couldalso comprise a protected memory and the address for accessing themodule identity 101 within the ROM 101 c could comprise a protectedaddress. A protected address can comprise an address accessible to a CPU101 b and readable by CPU 101 b where the data within the protectedaddress is not modified, changed, or updated by a CPU 101 b under normaloperating conditions. Also note that the protected address can compriseone form of a nonvolatile memory, where a memory records data. Or,module 101 could read module identity 110, which could be written intohardware by a manufacturer, distributor, or module provider 109, byusing a device driver 101 g that reads a hardware address containing themodule identity 110 using the system bus 101 d. In this case, thehardware address can comprise a protected address, as contemplatedherein. Module 101 can read the module identity 110 by accessing aread-only address using the bus 101 d. In either case, in manyembodiments module identity 110 may preferably be permanently orpersistently associated with the physical hardware of module 101, whichcan be helpful for the security procedures contemplated herein. Moduleidentity 110 can function as a basic identifier for services from mobilenetwork operator 108, wireless network 102, eUICC subscription manager164, and/or server 105 in order to properly identify module 101 among aplurality of modules. Module private key 112 and module public key 111could be unique to module 101 and uniquely associated with moduleidentity 110, according to a preferred embodiment.

As contemplated herein, a module identity 110 can also have more thanone use. A first module identity 110 could comprise a serial number forthe physical hardware of module 101, as described in the paragraphabove. A second module identity 110 could also comprise a sessionidentifier, for data sessions between module 101 and server 105, wherethe session identifier can be uniquely associated by a server 105 tomodule 101. A third module identity 110 could comprise a network moduleidentity 110 b within a set of network access credential 314 describedin FIG. 3b below. A fourth module identity 110 can be associated withthe eUICC 163. In embodiments where module identity 110 has more thanone use, format, or representation, the module identity 110 associatedwith or written into hardware of module 101 (and potentially read from aread-only address in module 101) may preferably comprise the moduleidentity 110 used in a certificate 122. Since a module 101 may utilizemultiple module public keys 111 and module private keys 112 over itslifetime, a certificate 122 for module 101 can preferably include both(i) the module identity 110 (such as, but not limited to, a serialnumber for the physical hardware of module 101) and (ii) a module publickey identity 111 a in order to specify the particular module public key111 associated with certificate 122. The use of a module public keyidentity 111 a in a certificate 122 is also depicted and described inconnection with FIG. 1h of U.S. patent application Ser. No. 14/055,606,filed Oct. 16, 2013 in the name of John Nix. Since a module 101 may alsohave multiple public keys 111 for different purposes (such as, but notlimited to, one for creating digital signatures, another for asymmetricciphering, another for use with a second wireless network 102, etc.),then module 101 may also potentially have multiple valid certificates122 concurrently each with different module public key identities 111 a.

Further, as contemplated herein, a module identity 110 could alsocomprise more than one physical string or number, such as, but notlimited to, a first string when module 101 connects with a first mobilenetwork operator 108 or first wireless network 102, and module identity110 could comprise a second string when module 101 connects with asecond mobile network operator 108 or second wireless network 102. Thefirst mobile network operator 108 or first wireless network 102 may havea first requirement or specification for the format, length, structure,etc. of module identity 110, and the second mobile network operator 108or second wireless network 102 may have a second requirement orspecification for the format, length, structure, etc. of module identity110. In this manner, even though more than one string or number is usedto identify a module 101, the two different strings or numbers couldcomprise a module identity 110.

Server public key 114 in module 101 could be obtained from downloadingthe key over the IP Network 107, or optionally also written intononvolatile memory of module 101 upon manufacture or distribution.Server public key 114 could be obtained using a domain name or Internetaddress that is recorded in nonvolatile memory upon the configuration ofmodule 101, such as, but not limited to, during installation ordistribution, and module 101 could fetch the server public key 114 uponconnecting to a wireless network 102 or other connection to the IPNetwork 107. Additional elements besides those depicted in FIG. 1c couldalso be recorded in volatile memory 101 e, which could comprise a RAM101 e. For example, cryptographic algorithms 141, the shared secret keys129, and the pre-shared secret key code 134 could also be recorded inRAM 101 e as well. Note that values and related data can also berecorded in both RAM 101 e and nonvolatile memory 101 w at the sametime, such that data in nonvolatile memory 101 w allows module 101 toaccess the data after a shutdown state, but moving the same data intoRAM 101 e during an active state allows module 101 to more quicklyperform operations using a CPU 101 b. Other possibilities exist as wellfor the storage location of various values and data elements illustratedin FIG. 1e without departing from the scope of the present invention.

Module 101 may also contain cryptographic algorithms 141, which maycomprise a suite of algorithms or subroutines that can be utilized for(i) deriving a pair of keys comprising a public key and a private key,(ii) encrypting data using public keys, (iii) decrypting data usingprivate keys, (iv) processing secure hash signatures using private keys,and (v) verifying secure hash signatures using public keys, and relatedsoftware, firmware, or subroutines for implementing a cryptographicsystem, including symmetric ciphering algorithms. Cryptographicalgorithms 141 (also described below in FIG. 1d ) could utilize publiclyavailable software libraries within tools such as, but not limited to,OpenSSL maintained by The OpenSSL Project (http://www.openssl.org/),libgcrypt maintained by The Free Software Foundation(http://www.gnu.org/software/libgcrypt/), and similar libraries such as,but not limited to, libmcrypt and Crypto++. Note that cryptographicalgorithms 141 could also use proprietary cryptographic libraries aswell. In addition to implementing asymmetric encryption/ciphering, suchas, but not limited to, used with RSA and ECC cryptography,cryptographic algorithms 141 can provide symmetric ciphering where ashared private key is utilized to both encrypt and decrypt, such as, butnot limited to, with the Advanced Encryption Standard (AES) ciphersuite.

As illustrated in FIG. 1c , module 101 may also contain a random numbergenerator 128. Random number generator 128 may contain a seed 128 b. Thecreation of random numbers with a high degree of entropy may beimportant the use of cryptographic algorithms 141. A plurality of thedata as a source for a random number seed 128 b could be appendedtogether into a “module random seed file” 139 (illustrated in FIG. 1d )with a combined series or list of states (i.e. a plurality of sensor 101f measurements, radio 101 z measurements, clock 160 times or values,memory 101 e or memory 101 w states, operating system 101 h states,actuator 101 y states, and/or hardware 101 a or 101 d states). Note thatvalues or data for each of the elements listed in the previous sentencecould be utilized in a “module random seed file” 139 instead of or inaddition to a state. The “module random seed file” is also depicted anddescribed in connection with FIG. 1e of U.S. patent application Ser. No.14/055,606, filed Oct. 16, 2013 in the name of John Nix, which is herebyincorporated by reference in its entirety

Note that the term “public key” as contemplated herein includes a keythat may be shared with other elements, where the other elements may notbe under the direct control of the same entity that holds thecorresponding private key. However, the term “public key” as used hereindoes not require that the public key is made available to the generalpublic or is publicly disclosed. An additional layer of security may bemaintained in the present invention by preferably only sharing publickeys on a confidential basis with other entities. For example, modulepublic key 111 may be created by module 101 when generating moduleprivate key 112, and module 101 may share module public key 111 withmobile network operator 108 in order to record module public key 111 inserver 105, but module 101 could choose to not (i) share module publickey 111 with other entities, such as module provider 109 or (ii) providea certificate 122 with module public key 111 publicly available on theIP Network 107. The benefits of confidentially sharing module public key111 with server 105 are also further described below.

Although a single public key and private key for module 101 isillustrated in FIG. 1c , both module 101 and server 105 may each utilizeseveral different pairs of public keys and private keys. As one example,module 101 may record a first private key 112 used for creating adigital signature and a second private key 112 for decryption usingasymmetric ciphering algorithms 141 a. In this example, a server 105could utilize a first module public key 111 to verify the digitalsignature, and a second module public key 111 could be utilized toencrypt messages sent to module 101. Similarly, either module 101 orserver 105 may use private key 112 or 105 c, respectively, to derivesecondary shared keys such as, but not limited to, a derived shared key129 b below. Thus, one key pair could be used with digital signatures, asecond key pair used for asymmetric ciphering, and a third key pair toderive shared secret keys. Each of the three illustrated pairs of keyscould comprise a set of keys, and each of the illustrated pairs of keyscould also use a different set of cryptographic parameters 126(illustrated in FIG. 1g below), although the cryptographic parameters126 for the various pairs of keys could also be the same.

In addition, module 101 could utilize a first set of keys to communicatewith a first MNO 108 and a second set of keys to communicate with asecond MNO 108. The first set of keys could use or be associated with afirst set of cryptographic parameters 126 and the second set of keyscould use or be associated with a second set of cryptographic parameters126. According to exemplary embodiments, module 101 may also include apre-shared secret key 129 a. Pre-shared secret key 129 a can comprise asecret key that is shared between module 101 and server 105 beforemodule 101 begins (i) communicating with server 105 and/or a certificateauthority 118, (ii) or utilizing PKI-based encryption and authenticationto communicate with mobile network operator 108. As illustrated in FIG.1f below, server 105 could also record the pre-shared secret key 129 a,and a pre-shared secret key 129 a can be associated with each module 101using a module identity 110. A pre-shared secret key 129 a is alsodepicted and described in connection with U.S. patent application Ser.No. 14/055,606, filed Oct. 16, 2013 in the name of John Nix, which ishereby incorporated by reference in its entirety. In an exemplaryembodiment, once the pre-shared secret key 129 a has been utilized toauthenticate or verify a module public key 111 with a server 105 (suchas, but not limited to, using subsequent steps 517 in FIG. 5b below),then that particular pre-shared secret key 129 a may be “discarded” andnot used again for security purposes contemplated herein.

Note that the use of a pre-shared secret key 129 a and pre-shared secretkey code 134 is also optional, such that a module program 101 i couldcipher of obfuscate the initial submission of a derived module publickey 111 and module identity to a server 105, so that server 105 could bereasonably assured only a valid module 101 submitted the module publickey 111. According to a preferred exemplary embodiment, module 101 canderive its own module private key 112 and module public key 111, andutilize pre-shared secret key 129 a in order to securely and/orauthoritatively communicate the derived module public key 111 withserver 105 and/or a certificate authority 118. The use of pre-sharedsecret key 129 a can be particularly useful if module 101 has alreadybeen deployed with a monitored unit 119 and connects to server 105though the IP Network 107 for the very first time. Server 105 couldpreferably utilize pre-shared secret key 129 a in order to confirm thata received module public key 111 and module identity 110 from module 101authoritatively belong to module 101, as opposed to being anunauthorized or even fraudulent submission of module public key 111 andmodule identity 110.

Server 105 could utilize a pre-shared secret key 129 a and the stepsdepicted and described in connection with FIG. 4 below in order tosecurely receive module public key 111 and module identity 110 frommodule 101, including the first time module 101 sends module public key111 to server 105. As one example, pre-shared secret key 129 a could beutilized as a symmetric ciphering 141 b key, described in FIG. 1d below.After the first submission of module public key 111 to server 105, anysubsequent submissions of new module public keys 111 derived by module101 could either (i) continue to use the pre-shared secret key 129 a, or(ii) use a symmetric key 127 derived after the first module public key111 has been received. Securing the submission of module public key 111with server 105, including both the first submission and subsequentsubmissions, is also depicted and described in connection with FIG. 5bbelow.

FIG. 1d

FIG. 1d is a graphical illustration of components in a set ofcryptographic algorithms, in accordance with exemplary embodiments. Ascontemplated herein, communications with module 101 can be secured byusing cryptographic algorithms 141. The cryptographic algorithms 141used by module 101, server 105, or other servers can comprise a set ofsteps, procedures, or software routines for accomplishing steps tocipher, decipher, sign, and verify messages, including the generation ofpublic keys, private keys, and derived shared keys, including symmetrickeys. Cryptographic algorithms 141 can be implemented in software orfirmware operating on (i) module 101 in the form of a module program 101i or an eUICC 163, (ii) server 105 in the form of a module controller105 x, or (iii) wireless network 102 or MNO 108 in the form of a server105, where server 105 generates tokens for the authentication of amodule 101 and mobile phones connecting with wireless network 102.Example software for a cryptographic algorithms 141 includes thelibraries within the openssl, libmcrypt, and/or and Crypto++ discussedin FIG. 1c . Other possibilities for the location of cryptographicalgorithms 141 within a module 101, server 105, or wireless network 102exist as well, including possibly module operating system 101 h and aserver operating system 105 h (described in FIG. 1k below).

In addition, cryptographic algorithms 141 may be implemented in hardwareor firmware on any of module 101, server 105, or MNO 108. Note thatmodule 101, server 105 and MNO 108 could each utilize a different set ofcryptographic algorithms 141, although the sets of algorithms shouldpreferably be fully interoperable (i.e. ciphering with a first symmetricciphering algorithm 141 b and a symmetric key 127 on module 101 could bedeciphered by a second symmetric ciphering algorithm 141 b on server 105using the symmetric key 127, etc.). As illustrated in FIG. 1d ,cryptographic algorithms 141 may comprise an asymmetric cipheringalgorithm 141 a, a symmetric ciphering algorithm 141 b, a secure hashalgorithm 141 c, a digital signature algorithm 141 d, a key pairgeneration algorithm 141 e, a key derivation function 141 f, a randomnumber generator 128, and the other algorithms depicted in FIG. 1 d.

Asymmetric ciphering algorithms 141 a can comprise algorithms utilizingpublic key infrastructure (PKI) techniques for both (i) encrypting witha public key and (ii) decrypting with a private key. Example algorithmswithin asymmetric algorithms 141 a include the RSA algorithms 153 andthe Elliptic Curve Cryptography (ECC) algorithms 154, and otherasymmetric algorithms could be utilized as well. For example, either theECC algorithms 154 or RSA algorithms 153 can be used for encryption anddecryption, including (i) encryption step 402 discussed below in FIG. 4,as well as (ii) decryption step 514 discussed below in FIG. 5a . A setof cryptographic parameters 126 can include input into asymmetricciphering algorithms 141 a, such as, but not limited to, specifying keylengths, elliptic curves to utilize (if ECC), modulus (if RSA) or otherparameters or settings required. As contemplated herein and described inadditional detail below, the algorithms illustrated in FIG. 1d canperform both ciphering and deciphering, using the appropriate keys.Although RSA algorithms 153 and ECC algorithms 154 are illustratedwithin an asymmetric ciphering algorithm 141 a, a RSA algorithm 153 andECC algorithm 154 could also be associated with a key pair generationalgorithm 141 e and other elements within a set of cryptographicalgorithms 141, and thus not exclusively used within a set ofcryptographic algorithms 141 by an asymmetric ciphering algorithm 141 a.

The use and application of RSA algorithms and cryptography are describedwithin IETF RFC 3447 titled “Public-Key Cryptography Standards (PKCS)#1: RSA Cryptography Specifications Version 2.1”, herein incorporated byreference, among other published standards for the use of RSA algorithms153. The use of an RSA algorithm 153 for encryption and decryption,including with cryptographic algorithms 141 and other description ofencryption or decryption algorithms, can also be processed according tothe description of the RSA algorithm according to the Wikipedia entryfor “RSA (algorithm)” as of Sep. 9, 2013, which is incorporated byreference herein.

The use and application of ECC algorithms 154 for asymmetric cipheringalgorithms 141 a within cryptographic algorithms 141 are describedwithin IETF RFC 6090 titled “Fundamental Elliptic Curve CryptographyAlgorithms” (herein incorporated by reference), among other publishedstandards using ECC. ECC algorithms 154 can also utilize elliptic curvecryptography algorithms to the Wikipedia entry for “Elliptic curvecryptography” as of Sep. 9, 2013, which is incorporated by referenceherein. ECC algorithms 154 may utilized according to exemplary preferredembodiments in order to maintain high security with smaller key lengths,compared to RSA, thereby helping to comparably reduce the messagelengths, radio frequency spectrum utilization, and processing powerrequired by module 101. Thus, the use of ECC algorithms 154 withinvarious steps requiring ciphering or digital signatures may helpconserve battery life of module 101 while maintaining the objective ofsecuring system 100 and other systems illustrated herein. Note that ascontemplated herein, other algorithms besides with ECC algorithms 154and RSA algorithms 153 may be also be used in asymmetric algorithms 141a and also a key pair generation algorithm 141 e.

Cryptographic algorithms 141 may also include a set of symmetricciphering algorithms 141 b. Symmetric ciphering algorithms 141 b canutilize a symmetric key 127 by one node such as a module 101 to encryptor cipher data, and the encrypted data can be decrypted or deciphered byserver 105 also using the symmetric key 127. Examples of symmetricciphers include Advanced Encryption Standard 155 (AES), as specified inFederal Information Processing Standards (FIPS) Publication 197, andTriple Data Encryption Standard (Triple DES), as described in NISTSpecial Publication 800-67 Revision 1, “Recommendation for the TripleData Encryption Algorithm (TDEA) Block Cipher (Revised January 2012)”.Cryptographic parameters 126 input into symmetric ciphering algorithms141 b can include symmetric key 127 length, such as, but not limited to,the selection of 128, 192, or 256 bits with AES 155 symmetric ciphering,and cryptographic parameters 126 could also select a symmetric cipheringalgorithm in a collection of symmetric ciphering algorithms 141 b. Otherexamples of symmetric ciphering algorithms 141 b may be utilized as wellwithin cryptographic algorithms 141. Also note that as contemplatedherein, the term “symmetric ciphering” contemplates the use of asymmetric key 127 in order to encrypt or cipher data with a symmetricciphering algorithm 141 b, and “asymmetric ciphering” contemplated theuse of an asymmetric ciphering algorithm 141 a to encrypt or cipher datawith a public key, such as module public key 111 or server public key114.

Cryptographic algorithms 141 may also include a set of secure hashalgorithms 141 c in order to compute and output a secure hash value ornumber based on a string or file input into the secure hash algorithms141 c. Example secure hash algorithms include SHA256 156 (also known asSHA-2) and SHA-3 157. SHA256 156 is specified in the National Instituteof Standards and Technology (NIST) Federal Information ProcessingStandards Publication (FIPS PUB) 180-2 titled “Secure Hash Standard”.SHA-3 157 is scheduled to be published in FIPS PUB 180-5. Cryptographicparameters 126 input into secure hash algorithms 141 c can include theselection of the length of the secure hash, such as, but not limited to,using 224, 256, or 512 bits with either SHA-2 or SHA-3, and otherpossibilities exist as well.

Cryptographic algorithms 141 may also include a set of digital signaturealgorithms 141 d, in order to sign and verify messages between (i)module 101 and server 105 or (ii) server 105 and wireless network 102.Digital signature algorithms 141 d can also verify signatures such as,but not limited to, comparing that (i) a first secure hash value in theform of a digital signature in a certificate (not shown) using acertificate authority public key matches (ii) a second secure hash valuein the certificate (not shown). Digital signature algorithms 141 d canutilize algorithms in National Institute of Standards (NIST) “FIPS186-4: Digital Signature Standard”, or IETF RFC 6979 titled“Deterministic Usage of the Digital Signature Algorithm (DSA) andElliptic Curve Digital Signature Algorithm (ECDSA)”. The use of ECDSAalgorithm 158 within a set of digital signature algorithms 141 d may bepreferred if keys such as, but not limited to, module public key 111 andserver public key 114 are based on elliptic curve cryptography. The useof the Digital Signature Standard can comprise a DSA algorithm 167.Other PKI standards or proprietary techniques for securely verifyingdigital signatures may be utilized as well in digital signaturealgorithms 141 d. Cryptographic parameters 126 input into digitalsignature algorithms 141 d can include the selection of a secure hashalgorithms 141 c to utilize with digital signature algorithms 141 d, orthe algorithm to utilize, such as, but not limited to, ECDSA 158 shownor an RSA-based alternative for digital signatures is possible as well.Cryptographic parameters 126 input into digital signature algorithms 141d can also include a padding scheme for use with a digital signaturealgorithms 141 d. Digital signature algorithms 141 d could also includean RSA digital signature algorithm for use with RSA-based public andprivate keys.

Cryptographic algorithms 141 may also include key pair generationalgorithms 141 e, a key derivation function 141 f, and a random numbergenerator 128. Key pair generation algorithms 141 e can be utilized bymodule 101, server 105, or network 102 to securely generate private andpublic keys. The key pair generation algorithms 141 e can also use inputfrom a cryptographic parameters 126, such as, but not limited to, thedesired key lengths, or a value for an ECC curve if the public key willsupport ECC algorithms 154. According to an exemplary preferredembodiment, module 101 can derive a pair of module public key 111 andmodule private key 112 using key pair generation algorithms 141 e.Software tools such as, but not limited to, openssl and libcrypt includelibraries for the generation key pairs, and these and similar librariescan be used in a key pair generation algorithm 141 e.

Key derivation function 141 f can be used by module 101, server 105,and/or wireless network 102 in order to determine a common derivedshared secret key 129 b, using at least two numbers as input. Inexemplary embodiments, one of the two numbers as input can comprise oneof (i) a private key, or (ii) a secret shared key 129. The other of thetwo numbers input into a key derivation function 141 f could comprise atleast one number from (i) a set of cryptographic algorithms 126 or (ii)a random number 128 that is commonly shared between two nodes utilizinga key derivation function 141 f in order to process or obtain the samederived shared secret key 129 b. A key exchange to share a commonsymmetric key 127 can be performed using a key derivation function 141 fand cryptographic parameters 126, in addition to using public and/orprivate keys in some embodiments. In exemplary embodiments, three valuescomprising (i) a private key, (ii) a token such as a public key or arandom number, and (iii) values from a set of cryptographic parameters126 can be input into the key derivation function 141 f in order tooutput a derived shared secret key 129 b.

An exemplary algorithm within a key derivation function 141 f can be theDiffie-Hellman key exchange, which is used by tools such as, but notlimited to, secure socket layer (SSL) with RSA algorithms 153. Whenusing ECC algorithms 154, module 101 and server 105 can utilize EllipticCurve Diffie-Hellman (ECDH) algorithms 159, and a summary of ECDH isincluded in the Wikipedia article titled “Elliptic Curve Diffie-Hellman”(http://en.wikipedia.org/wiki/Elliptic_curve_Diffie % E2%80%93Hellmanfrom Sep. 24, 2013, which is herein incorporated by reference. Otheralgorithms to derive a shared secret key 129 b using public keys,private keys, and tokens may also be utilized in a key derivationfunction 141 f, such as, but not limited to, the American NationalStandards Institute (ANSI) standard X-9.63 160. Cryptographic parameters126 used with key derivation function 141 f with elliptic curvecryptography can include a common base point G for two nodes using thekey derivation function 141 f and public keys. The base point G in acryptographic parameters 126 can be transmitted or sent from a module101 to a server 105 in a message 208, and the base point G can be sentfrom a server 105 to a module 101 in a response 209, and otherpossibilities exist as well, including recording the base point G withina received eUICC profile 311. Cryptographic parameters 126 can alsoinclude other or additional information for using a key derivationfunction 141 f in order to derive either (i) a commonly shared symmetrickey 127, or (ii) a commonly shared secret key 129 b. The use of a keyderivation function 141 f with a Diffie Helmman key exchange is alsodepicted and described in connection with FIG. 11 below. Otherpossibilities for a key derivation function 141 f exist as well withoutdeparting from the scope of the present invention.

Cryptographic parameters 126 input into key pair generation algorithms141 e can include the type of asymmetric ciphering algorithms 141 a usedwith the keys, the key length in bits, an elliptic curve utilized forECC, a time-to-live for a public key that is derived, and similarsettings. Additional cryptographic parameters 126 for a public key caninclude a supported point formats extension, where the supported pointformats extension could comprise uncompressed, compressed prime, or“compressed char2” formats, as specified in ANSI X-9.62. In other words,an ECC public key can have several formats and a set of cryptographicparameters 126 can be useful to specify the format. Although a set ofcryptographic parameters 126 is illustrated in FIG. 1d as internal tocryptographic algorithms 141, parameters 126 could be recorded in otherlocations in a module 101 or a system 100. As one example, a set ofcryptographic parameters 126 could be recorded in a server 105 anddownloaded by module 101 using the IP Network 107. The variousalgorithms within cryptographic algorithms 141 may utilize a randomnumber generator 128, which is also depicted and described in connectionwith FIG. 1c above. As contemplated herein, the term “cryptographicparameters” 126 may be considered equivalent to a “set of cryptographicparameters” 126, and also use of the terms “parameters” 126 and “set ofparameters” 126 can both refer to the cryptographic parameters 126illustrated in FIG. 1d and FIG. 1i . Cryptographic parameters 126 arealso further depicted and described in connection with FIG. 1i below.

According to a preferred exemplary embodiment, cryptographic parameters126 can include values to define an elliptic curve and/or use ECCalgorithms 154. A set of ECC parameters 137 could comprise values ornumbers for an elliptic curve defining equation. ECC parameters 137 arealso depicted and described in FIG. 1g of U.S. patent application Ser.No. 14/055,606, filed Oct. 16, 2013 in the name of John Nix, which ishereby incorporated by reference in its entirety. Cryptographicparameters 126 could also include an ECC standard curve 138, which couldcomprise a name and/or values for a standardized curve, such as, but notlimited to, the list of named curves included in section 5.1.1 of IETFRFC 4492 titled “Elliptic Curve Cryptography (ECC) Cipher Suites forTransport Layer Security (TLS).”

As contemplated herein, a set of cryptographic algorithms 141 mayoperate using either strings or numbers, and cryptographic parameters126 could include either strings or numbers as well. As contemplatedherein (i) a collection, sequence, and/or series of numbers couldcomprise a string, (ii) a string can include a mixture of numbers andcharacters, or (iii) a string can comprise a collection, sequence,and/or series of characters or bits. The processing of cryptographicalgorithms 141 within a module 101 can take place within a CPU 101 b, ormodule 101 could also process cryptographic algorithms in acryptographic processing unit (not shown) connected to the system bus101 d. An eUICC 163 could also include a set of cryptographic algorithms141, in addition to a separate set of cryptographic algorithms 141 beingrecorded in a flash memory 101 w for module 101. According to anexemplary embodiment, a module 101 or a server 105 could include acryptographic processing unit (not shown) separate from the CPU 101 b orCPU 105 b in order to increase efficiency or security for supporting theuse of cryptography through a system 100. An eUICC 163 could comprisethe separate cryptographic processing unit. Alternatively, in exemplaryembodiments cryptographic algorithms 141 can be implemented entirely insoftware within a module 101 and/or server 105, and also utilized by amodule controller 105 x and network controller 101 i.

A shared secret algorithm 141 g is depicted and described in connectionwith FIG. 1f below. In an exemplary embodiment, a shared secretalgorithm 141 g can comprise an algorithm to accept input from (i) a setof component parameters 101 t and (ii) an algorithm token 190, which areboth depicted and described in connection with FIG. 1e and FIG. 1f , andthe shared secret algorithm 141 g can output a shared secret key 129 c.A secret ciphering algorithm 141 h is depicted and described inconnection with FIG. 1g below. In an exemplary embodiment, a secretciphering algorithm 141 h can comprise an algorithm to accept input from(i) a module identity 110 and (ii) an algorithm token 190 as a key,which are both depicted and described in connection with FIG. 1f , andthe secret ciphering algorithm 141 h can output an encrypted moduleidentity 110 a. A secret ciphering algorithm 141 h can also be used as asymmetric ciphering algorithm 141 b, where the logic and/or steps forusing a key such as, but not limited to an algorithm token 190, remainsecret and/or are not publicly shared. In an exemplary embodiment, asecret ciphering algorithm 141 h can be similar to AES 155, but with adifferent and confidential series of steps for mixing and substitutingdata input in order to output encrypted data. A server 105 or otherservers can use a secret ciphering algorithm 141 h and input of aciphertext and a key to derive or process plaintext. In an exemplaryembodiment, a server 105 or other servers can use a secret cipheringalgorithm 141 h and input of (i) ciphertext of an encrypted moduleidentity 110 a and (ii) an algorithm token 190 in order to output amodule identity 110.

FIG. 1e

FIG. 1e is a graphical illustration of a set of components for a moduleand a set of component parameters, in accordance with exemplaryembodiments. A module 101 can comprise a plurality of hardware andsoftware components for operating in a system 100 and other exemplarysystems illustrated herein. The hardware components can be manufacturedand assembled into a housing or enclosure for distribution to moduleproviders 109 and/or distributors or end users of a module 101. Hardwarecomponents illustrated in FIG. 1e can include a RAM 101 e, a flashmemory 101 w, a CPU 101 b, a radio 101 z, an eUICC 163, a sensor 101 f,and an actuator 101 y. Software and/or firmware components can includeoperating system 101 h and also a module program 101 i (not shown).Module 101 can also include a plurality of any of these components. Anyof the components can include a set of component parameters 101 t,including a model number, size or capacity, a serial number, amanufacturing date (or release date), a system bus 101 d address, aspeed or capacity, an operating frequency, a software or firmwareversion for the component, a file size, an associated battery size 101k, and/or a list of values, etc. The overall assembled and/ormanufactured module 101 can include component parameters 101 t as well,including a serial number, version number, list of supported sensorsand/or actuators, etc. Component parameters 101 t are depicted in FIG.1e as illustrative as opposed to being limiting, and other componentparameters can be utilized as well for a set of component parameters 101t, in addition to the use of different components than those illustratedin FIG. 1 e.

In exemplary embodiments, component parameters 101 t can include manyvalues that remain persistent over the lifetime of a module 101,although in some embodiments a component for a module 101 could bechanged after manufacturing. As one example, a technician could change amemory unit such as a RAM 101 e for upgrade or other purposes, and thenew RAM 101 e could subsequently utilize different component parameters101 t. In exemplary embodiments other entities besides the module 101could record or store a set of component parameters 101 t for a module101, including module provider 109, mobile network operator 108, and/ora server 105. A server 105 or the other entities could record a set ofcomponent parameters 101 t in a database with a module identity 110, andthe database that includes component parameters 101 t for the module 101could be updated if the component parameters 101 t change aftermanufacturing. As contemplated herein, a set of component parameters 101t can comprise any of the component parameters 101 t for each of thehardware and/or software elements within a module 101, includingcomponent parameters 101 t for the overall module 101. A set ofcomponent parameters can comprise either numbers or strings, including amix of numbers and strings. As contemplated herein, the term “set ofcomponent parameters” 101 t can also refer to component parameters 101t. Since each module 101 in a plurality of modules 101 can be different,such as using different serial numbers for individual components, a setof component parameters 101 t for a module 101 can be unique inexemplary embodiments. Other possibilities exist as well for a set ofcomponent parameters 101 t to be unique for a module 101 withoutdeparting from the scope of the present invention.

FIG. 1f

FIG. 1f is a graphical illustration for deriving a shared secret keyusing a shared secret algorithm, an algorithm token, and componentparameters, in accordance with exemplary embodiments. A module 101and/or server 105 can use a shared secret algorithm 141 g to process orderive a shared secret key 129 c using as input (i) a set of componentparameters 101 t and an algorithm token 190. A set of componentparameters 101 t for a module 101 are depicted and described inconnection with FIG. 1e above. The component parameters 101 t for amodule 101 can include a list of values input into the shared secretalgorithm 141 g such as one or more component or system serial numbers,system bus 101 d addresses, component model numbers, component sizes,date or time values for component manufacturing or release dates, and/orother similar data. In an exemplary embodiment, the set of parameters101 t input into a shared secret algorithm 141 g can be persistent orrelatively long-lived, such that the list of values from a set ofcomponent parameters 101 t do not frequently change. In anotherembodiment, the list or values for a module 101 comprising a set ofcomponent parameters 101 t can change over time, and in this case, bothmodule 101 and a server 105 (or other servers using the shared secretalgorithm 141 g) would also record any updated or changed values for aset of component parameters 101 t in order to utilize the same input. Inother words, a set of component parameters 101 t used by a module 101and a server 105 (or other servers associated with server 105) can keepthe set of component parameters 101 t for a module 101 synchronized.

An algorithm token 190 input into a shared secret algorithm 141 g cancomprise a temporary value or a number or a string that may preferablyonly be used once in exemplary embodiments. As illustrated in FIG. 1f ,an algorithm token 190 can comprise a timestamp and/or a random number128 a. The timestamp can be calculated using a clock 160 and the randomnumber 128 a may comprise a random number 128 a processed with a randomnumber generator 128. The random number generator 128 could use a“module random seed file” 139 in order to populate a seed 128 b with anumber or value that comprises a high level of “noise” or informationentropy. As contemplated herein, a random number 128 a can comprise apseudo-random number such that the number output by a random numbergenerator 128 may not completely mathematically random, but for thepurposes contemplated herein a pseudo-random number can comprise arandom number 128 a. In an exemplary embodiment, an algorithm token 190can comprise a time value, a random number 128 a alone, or a combinationof a time value and a random number 128 a. In an exemplary embodiment,the time value and/or random number 128 may preferably have a sufficientnumber of digits or resolution such that the probability of using thesame random number 128 a and/or time value as an algorithm token 190input into a shared secret algorithm 141 g would be sufficiently smallor negligible. Note that other values besides a time value or a randomnumber 128 a could be used in an algorithm token 190, where the othervalues also have a low probability of being reused and/or also contain ahigh level of information entropy. As contemplated herein, an algorithmtoken 190 can also be used with other algorithms in a set ofcryptographic algorithms 141 in addition to a shared secret algorithm141 g, including a secret ciphering algorithm 141 h depicted anddescribed in connection with FIG. 1g below.

Shared secret algorithm 141 g can use the algorithm token 190 and set ofcomponent parameters 101 t as input and output a shared secret key 129c. Another element in a system 100 besides a module 101 can obtain orprocess the same shared secret key 129 c using an equivalent value foran algorithm token 190 and set of component parameters 101 t.Consequently in preferred embodiments module 101 and the other elementsuch as, but not limited to server 105, could determine the same orequivalent value for an output shared secret key 129 c without having tosend or receive the shared secret key 129 c output from the sharedsecret algorithm 141 g. Shared secret algorithm 141 g could use logic ora set of programmatic steps for taking the values input and generatingthe output of a shared secret key 129 c. In an exemplary embodiment,shared secret algorithm 141 g could select, mix, and append values fromthe series of component parameters 101 t and the time value and/orrandom number 128 a into a string or number. A shared secret algorithm141 g could also use data from the algorithm token 190 to determine orprocess data from the set of component parameters 101 t in order tooutput at least one shared secret key 129 c.

In an exemplary embodiment, a string or number resulting from processingthe set of component parameters 101 t and algorithm token 190 could beinput into a secure hash algorithm 141 c with a shared secret algorithm141 g, and the output of the secure hash algorithm 141 c could be usedfor a shared secret key 129 c. Other possibilities for the logic of ashared secret algorithm 141 g, including using a set of componentparameters 101 t and an algorithm token 190 to create a shared secretkey 129 c, are possible as well without departing from the scope of thepresent invention. Although a single algorithm token 190 and singleshared secret key 129 c are illustrated in FIG. 1f , a module 101 andserver 105 could use a plurality of single algorithm tokens 190 with ashared secret algorithm 141 g. In an exemplary embodiment, shared secretalgorithm 141 g could also output a plurality of shared secret keys 129c, and other logic could specify the use of one or several of theplurality of shared secret keys 129 c output by a shared secretalgorithm 141 g. In an exemplary embodiment, the values from the seriesof component parameters 101 t and the algorithm token 190, such as, butnot limited to a time value and/or random number 128 a, both (i) inputinto a shared secret algorithm 141 g and (ii) including possibilityusing a secure hash algorithm 141 c with a shared secret algorithm 141g, can be longer (or comprise more bits) than the output of a sharedsecret algorithm 141 g. The logic for processing the set of componentparameters 101 t and algorithm token 190 as input into the shared secretalgorithm 141 g can include rules, steps, and/or logic for selectingsubsets of the input data, mixing the input data, and ordering the inputdata. In an exemplary embodiment, the rules, steps, and/or logic forprocessing the input data in a shared secret algorithm 141 g maypreferably remain confidential or not publicly shared, in order for theoutput of shared secret key 129 c to reasonably remain “secret” and notreasonably obtainable by third parties who might also have the set ofcomponent parameters 101 t and the algorithm token 190.

In exemplary embodiments where a secure hash algorithm 141 c is used inor with a shared secret algorithm 141 g, a processed subset of theoutput from the secure hash algorithm 141 c could be used for the sharedsecret key 129 c. For example, if (A) the secure hash algorithm 141 coutputs 256 bits, but a smaller key is needed such as an exemplary 128bits for a shared secret key 129 c that comprises a symmetric key 127for use with AES ciphering 155, then (B) shared secret algorithm 141 gcould also contain logic to select or derive the shared secret key 129 cof the appropriate length from the output of a secure hash algorithm 141c, including truncating, parsing, or selecting a subset the output froma secure hash algorithm 141 c. Multiple instances or rounds of one ormany of a secure hash algorithm 141 c could also be used with a sharedsecret algorithm 141 g such that data input is processed in a sharedsecret algorithm 141 g using a secure hash algorithm 141 c more thanonce. In exemplary embodiments, as described below in FIG. 1g , thealgorithm token 190 for a shared secret algorithm 141 g can be shared bymodule 101 with other parties or nodes, including a server 105, in orderfor the server 105 to calculate the same shared secret key 129 c usingthe shared secret algorithm 141 g and the same set of recorded componentparameters 101 t. In these embodiments mentioned in the previoussentence, the module 101 could send the algorithm token to a server 105in a message 208, as illustrated in FIG. 6 below.

As contemplated herein, a shared secret key 129 c output from a sharedsecret algorithm 141 g may have multiple different uses, where a firstshared secret key 129 c can be used in a module identity stringciphering algorithm 161 (FIG. 1g below) and a second shared secret key129 c could be used as a symmetric key 127. Also, a shared secretalgorithm 141 g can comprise one embodiment of a key derivation function141 f, where the shared secret key 129 c can also comprise a derivedshared secret key 129 b. Other possibilities exist as well withoutdeparting from the scope of the present invention.

FIG. 1g

FIG. 1g is a graphical illustration for ciphering and decipheringplaintext using a secret ciphering algorithm with input of ciphertextand a key, in accordance with exemplary embodiments. FIG. 1g illustratesan exemplary secret ciphering algorithm ciphering 161 and an exemplarysecret ciphering algorithm deciphering 162. In the exemplary secretciphering algorithm ciphering 161, a secret ciphering algorithm 141 hcan process or derive output of ciphertext as encrypted module identity110 a using input of (i) an algorithm token 190 as a cipher key and (ii)plaintext in the form of a module identity 110. In the exemplary secretciphering algorithm deciphering 162, a secret ciphering algorithm 141 hcan process or derive plaintext output of a module identity 110 usinginput of (i) an algorithm token 190 as a cipher key and (ii) ciphertextin the form of an encrypted module identity 110 a. As contemplatedherein, a secret ciphering algorithm 141 h as one form of a symmetricciphering algorithm 141 b can also process other ciphertext andplaintext besides an encrypted module identity 110 a and a moduleidentity 110, respectively. In addition, a secret ciphering algorithm141 h can use a different key besides an algorithm token 190 as a cipherkey, such as, but not limited to, a random number 128 a as a cipher key.

The communication of a module identity 110 in a system 100 and othersystems illustrated herein can include the transmission of an encryptedmodule identity 110 a with the cipher key in the form of an algorithmtoken 190. The transmission of an encrypted module identity 110 a withthe cipher key in the form of an algorithm token 190 can remainreasonably secure, since the symmetric ciphering algorithm 141 b used ina secret ciphering algorithm 141 h to process ciphertext transmitted canremain secret or confidential. The secret symmetric ciphering algorithm141 b can comprise a secret ciphering algorithm 141 h. A secretciphering algorithm 141 h is also depicted and described in connectionwith FIG. 1d . In an exemplary embodiment, secret ciphering algorithm141 h, and other cryptographic algorithms 141, can be included in amodule program 101 i and a program, library, or subroutine in a server105.

In an exemplary embodiment, in order for the secret ciphering algorithm141 h to remain reasonably secure and/or confidential, the secretciphering algorithm 141 h can either (i) not be transmitted across anetwork such as, but not limited to, the IP Network 107 and recorded inmodule 101 upon manufacturing and/or distribution, or (ii) transmittedacross a network such as, but not limited to, the IP Network 107 in anencrypted or ciphered format. In exemplary embodiments, a cipher keyused in a secret ciphering algorithm ciphering 161 and a secretciphering algorithm deciphering 162 can also comprise any of a sharedsecret key 129 c, a symmetric key 127, a derived shared key 129 b, or apre-shared secret key 129 a. With the use of a cipher key such as ashared secret key 129 c, a symmetric key 127, a derived shared key 129b, or a pre-shared secret key 129 a, these keys may optionally not betransmitted with the ciphertext output of secret ciphering algorithm 141h, when the other node also can derive or obtain the cipher key throughsecure means. Other possibilities exist as well, in order for a module101 and a server 105 to use the same cipher key with a secret cipheringalgorithm 141 h to decrypt or resolve the ciphertext possibly in theform of an encrypted module identity 110 a into plaintext possibly inthe form of a module identity 110. A secret ciphering algorithm 141 hcould select, mix, and append values from the cipher key and theplaintext in a secret or confidential manner in a plurality of rounds,such that an observer with the cipher key and the ciphertext would notreasonably be able to read or determine the plaintext.

In exemplary embodiments, a module identity 110 can be sent ortransmitted in the form of an encrypted module identity 110 a in orderto protect the identity of module 101 from third parties along the pathof communications between a module 101 and a server 105. The algorithmtoken 190 sent with the encrypted module identity 110 a can be a cipherkey used by a secret ciphering algorithm 141 h to decipher the encryptedmodule identity 110 a into a module identity 110. A module 101 can use asecret ciphering algorithm ciphering 161 to convert a module identity110 into an encrypted module identity string 110 a with an algorithmtoken 190 as a cipher key. In a secret ciphering algorithm ciphering161, the module identity 110 and the algorithm token 190 as a cipher keycan be input in to a secret ciphering algorithm 141 g in order to outputa encrypted module identity 110 a string or number. The algorithm token190 can comprise or use a random number 128 a. A module 101 sending amessage with an encrypted module identity 110 a and an algorithm token190 is depicted and described in connection with FIG. 6 below. In anexemplary embodiment, the plaintext can include a security token 401 inorder to prevent replay or reuse of the encrypted module identity 110 a,where a security token 401 is depicted and described in connection withFIG. 4 below. Note that the use of a security token 401 is optional andmay be omitted, and replay or reuse of an encrypted module identity 110a can also be implemented by changing the algorithm token 190 used as acipher key.

A node such as a server 105 could use a secret ciphering algorithmdeciphering 162 in order to read plaintext from a received ciphertextand also a received algorithm token 190. When used with an encryptedmodule identity 110 a, a server 105 could process or input the encryptedmodule identity 110 a into a secret ciphering algorithm 141 h, alongwith inputting the algorithm token 190, in order to extract theplaintext. A secret ciphering algorithm deciphering 162 can comprise thereverse or inverse operation of secret ciphering algorithm ciphering161. Note that the plaintext could include a security token 401 in orderto prevent replay or reuse of the ciphertext, and a security token 401is depicted and described in connection with FIG. 4 below and couldcomprise a random number or string. In order to decrypt an encryptedmodule identity 110 a, a server 105 would preferably use the same secretciphering algorithm 141 h implemented by the module 101 sending theencrypted module identity 110 a. The module 101 can use a secretciphering algorithm ciphering 161 to cipher or encrypt the moduleidentity 110 as the encrypted module identity 110 a. The server 105 canalso receive the algorithm token 190 along with a message that containsthe encrypted module identity 110 a. Although illustrated in FIG. 6below as both encrypted module identity 110 a and algorithm token 190being received by a server 105 in the same message, the two values couldbe sent in separate messages.

An algorithm token 190 as a cipher key input into a secret cipheringalgorithm 141 h can comprise a temporary value or a number or a stringthat may preferably only be used once in exemplary embodiments, and caninclude a random number 128 a. As illustrated in FIG. 1h , an algorithmtoken 190 for a secret ciphering algorithm 141 h can comprise atimestamp and/or a random number 128 a. The timestamp can be calculatedusing a clock 160 and the random number 128 a may comprise a randomnumber 128 a processed with a random number generator 128. The randomnumber generator 128 could use a “module random seed file” 139 in orderto populate a seed 128 b with a number or value that comprises a highlevel of “noise” or information entropy. In an exemplary embodiment, analgorithm token 190 can comprise a time value alone, a random number 128a alone, or a combination of a time value and a random number 128 a. Inan exemplary embodiment, the time value and/or random number 128 maypreferably have a sufficient number of digits or resolution such thatthe probability of using the same random number 128 a and/or time valueas an algorithm token 190 input into a secret ciphering algorithm 141 hwould be sufficiently small or negligible. Note that other valuesbesides a time value or a random number 128 a could be used in analgorithm token 190, where the other values also have a low probabilityof being reused and also contain a high level of information entropy.

In an exemplary embodiment, for a system 100 with a plurality of modules101, different modules 101 could utilize different secret cipheringalgorithms 141 h. Other identifying information besides a moduleidentity 110 within a module encrypted data 110 a could be used by a setof servers 105 in order to determine which secret ciphering algorithm141 h is used for any given module 101. A first set of modules 101 usinga first secret ciphering algorithm 141 h, possibly to encrypt a moduleidentity 110, could send data to a first IP address or port number. Thereceipt of data at the port number or address by the server could signalor determine for the server 105 which secret ciphering algorithm 141 hwas used to encrypt the plaintext, thereby allowing the server 105 toselect the appropriate secret ciphering algorithm 141 h in order todecrypt the received ciphertext. Or, module 101 could send a value in amessage that would specify which secret ciphering algorithm 141 h isused with ciphertext sent by module 101, such as an encrypted moduleidentity 110 a. Other possibilities exist as well for the use of aplurality of secret ciphering algorithms 141 h as well, withoutdeparting from the scope of the present invention.

In exemplary embodiments, where a module identity 110 may be obfuscatedor encrypted in an encrypted module identity 110 a sent to a server 105in a message, the packet may also contain other encrypted data such as amodule encrypted data 403 depicted and described below in FIG. 4. Thepacket can also include the algorithm token 190. A module encrypted data403 can be ciphered with a symmetric key 127 and a different symmetricciphering algorithm 141 b than secret ciphering algorithm 141 h. Aserver 105 receiving a packet containing a module encrypted data 403should preferably be able to select a symmetric key 127 using a moduleidentity 110 in order to decrypt the module encrypted data 403. Sincethe module identity 110 may be transmitted as an encrypted moduleidentity 110 a, the server 105 can use the algorithm token 190 and asecret ciphering algorithm deciphering 162 in order to read theplaintext module identity 110. Upon reading the plaintext moduleidentity 110, the server can select the symmetric key 127 from a moduledatabase 105 k in order to decrypt the module encrypted data 403 intoplaintext.

FIG. 1h

FIG. 1h is a graphical illustration for deriving a shared secret key andan encrypted module identity, in accordance with exemplary embodiments.As depicted and described in connection with FIG. 1f , a shared secretkey 129 c can be calculated or derived by a shared secret algorithm 141g, where the shared secret algorithm 141 g can use input from a set ofcomponent parameters 101 t and an algorithm token 190. The set componentparameters 101 t depicted in FIG. 1h are shown as illustrative asopposed to limiting, and other component parameters 101 t could beutilized as well by a shared secret algorithm 141 g. The values for aset of component parameters 101 t could be encoded in different formatsthan plaintext as well. The algorithm token 190 can also comprisedifferent data, such as a random number 128 a in the form of binary orhexadecimal data and also with a longer set of digits than those shownin FIG. 1h . A timestamp can be in other formats, such as, but notlimited to, a number corresponding to unix epoch time. A module 101 anda server 105 could calculate the same or equivalent shared secret key129 c using the same or equivalent input from the algorithm token 190and the set of component parameters 101 t. The module 101 and server 105could use the same share secret algorithm 141 g to determine the sameshared secret key 129 c. The server 105 could record the set ofcomponent parameters 101 t in a module database 105 k, and the server105 could select the set of component parameters 101 t using a moduleidentity 110 received in a message. A shared secret key 129 c could alsocomprise a number longer than the number illustrated in FIG. 1h , suchas an exemplary 128 bits for use as a symmetric key 127 with a symmetricciphering algorithm 141 b that requires a key of 128 bits, and otherpossibilities exist as well.

In order to output shared secret key 129 c, shared secret algorithm 141g can use the logic and/or steps for a shared secret algorithm 141 gdepicted and described in connection with FIG. 1f to process the inputdata from the set of component parameters 101 t and the algorithm token190 in order to calculate the shared secret key 129 c. Different valuesfor a shared secret key 129 c could be calculated using different valuesfor the set of component parameters 101 t and the algorithm token 190.As illustrated in FIG. 1h , a first module 101 associated with a firstmodule identity 110 could use a first set of component parameters 101 tand different values for an algorithm token 190 in order to obtaindifferent shared secret keys 129 c over time, and a server 105 couldcalculate the same shared secret keys 129 c by receiving the algorithmtoken 190 in a message. As illustrated in FIG. 1h , a second module 101associated with a second module identity 110 could use a second set ofcomponent parameters 101 t and different values for an algorithm token190 in order to obtain different shared secret keys 129 c associatedwith the second module 101 over time. A server 105 could calculate thecorresponding shared secret keys 129 c for the second module 101 byreceiving the algorithm token 190 in a message, and use the second setof component parameters 101 t.

Encrypted module identity 110 a can be calculated by a module 101 usinga secret ciphering algorithm ciphering 161 and a key in the form of analgorithm token 190. The algorithm token 190 can preferably include arandom number 128 a in an exemplary embodiment. As illustrated in FIG.1h , a set of component parameters 101 t can also be used in a cipheringkey in a secret ciphering algorithm ciphering 161, but the use ofcomponent parameters 101 t with a secret ciphering algorithm ciphering161 can optionally be omitted, and in this case the ciphering key for asecret ciphering algorithm ciphering 161 can comprise an algorithm token190. The encrypted module identity 110 a and algorithm token 190 couldbe sent to a server 105 in an exemplary message illustrated in FIG. 6below. A server 105 or set of servers 1010 (illustrated in FIG. 10)could receive the encrypted module identity 110 a and algorithm token190, and the server 105 could use a secret ciphering algorithmdeciphering 162 and the algorithm token 190 to decrypt the encryptedmodule identity 110 a in order to read the plaintext module identity110. By using different values for the algorithm token 190 with a secretciphering algorithm ciphering 161, a module 101 can calculate differentvalues for encrypted module identity 110 a over time.

FIG. 1i

FIG. 1i is a graphical illustration of an exemplary system, where amodule and a server exchange a set of cryptographic parameters and asubset of the set of cryptographic parameters, in accordance withexemplary embodiments. In exemplary embodiments, a first node can send aset of cryptographic parameters 126 to a second node, and the secondnode can send a subset of cryptographic parameters 126 a to the firstnode. In an exemplary embodiment, a server 105 can send the set ofcryptographic parameters 126 to a module 101, and the module 101 cansend the subset of the cryptographic parameters 126 a to the server 105.The module can select the subset of cryptographic parameters 126 aaccording to the capabilities of a module program 101 i and/or a set ofcryptographic parameters 141 recorded in the module 101. In anotherexemplary embodiment, a module 101 can send the set of cryptographicparameters 126 to a server 105 (or a set of servers 1010 illustrated inFIG. 10), and the server 105 can send the subset of the cryptographicparameters 126 a to the module 101.

In this manner, using the steps illustrated in FIG. 1i , the two nodescan select and agree on a subset of cryptographic parameters 126 a foruse with a set of cryptographic algorithms 141. The exemplary values fora set of cryptographic parameters 126 are shown in FIG. 1i to beillustrative as opposed to limiting, and other values or fields for aset of cryptographic parameters 126 are possible as well withoutdeparting from the scope of the present invention. As contemplatedherein, a subset of cryptographic parameters 126 a can also comprise aset of cryptographic parameters 126. Although not illustrated in FIG. 1i, a node receiving a subset of cryptographic parameters 126 a could sendan acknowledgement upon receipt to signal the subset of cryptographicparameters 126 a had been properly received in a valid or acceptableformat and also implemented in communication with the other node.

In addition, both the set of cryptographic parameters 126 and the subsetof cryptographic parameters 126 a can be transmitted in a ciphertextform in order to increase security. In an exemplary embodiment, server105 can send the set of cryptographic parameters 126 in a serverencrypted data 504 (depicted and described in connection with FIG. 5abelow), and the module 101 can respond with a subset of cryptographicparameters 126 a in a module encrypted data 403 (depicted and describedin connection with FIG. 4 below). The set of cryptographic parameters126 or 126 a could be encrypted with a symmetric key 127, where in anexemplary embodiment the symmetric key 127 could comprise a pre-sharedsecret key 129 a depicted and described in connection with FIG. 1d ofU.S. patent application Ser. No. 14/039,401, filed Sep. 27, 2013 in thename of John Nix, which is incorporated by reference in its entirety.Or, the symmetric key 127 for encrypting a set of cryptographicparameters 126 or 126 a could comprise a shared secret key 129 c asdescribed in FIG. 1f and FIG. 1h herein.

In exemplary embodiments, module 101 and server 105 could pre-agree to abase set of cryptographic parameters 126 different than the set ofcryptographic parameters 126 illustrated in FIG. 1i , and the pre-agreedbase set of cryptographic parameters 126 could be used with a set ofcryptographic algorithms 141 to establish a symmetric key 127 in orderto encrypt the set of cryptographic parameters 126 or 126 a. Inaddition, the set of cryptographic parameters 126 or 126 a could beciphered using an asymmetric ciphering algorithm 141 a and a public keyof the other node, and sent to the receiving node to decrypt using theprivate key of the receiving node. The algorithms used to cipher a setof cryptographic parameters 126 in an asymmetric ciphering algorithm 141a could be pre-agreed, and a different set of asymmetric cipheringalgorithms 141 a could be selected after processing the received set ofcryptographic parameters 126. Other possibilities for encrypting a setof cryptographic parameters 126 or 126 a exist as well without departingfrom the scope of the present invention. Alternatively, the set ofcryptographic parameters 126 and/or 126 a could be sent between twonodes as plaintext within an IP packet.

The set of cryptographic parameters 126 can include a list of availableoptions for a set of asymmetric ciphering algorithms 141 a, symmetricciphering algorithms 141 b, secure hash algorithms 141 c, digitalsignature algorithms 141 d, a key pair generation algorithm 141 e, andalso general cryptographic parameters 126 b. Although not illustrated inFIG. 1i , a set of cryptographic parameters 126 could also includeparameters for a key derivation function 141 f, a shared secretalgorithm 141 g, and a secret ciphering algorithm 141 h. In an exemplaryembodiment, the list of available options for a set of asymmetricciphering algorithms 141 a could comprise a list of ECC standard curves138 and also ECC parameters 137 which could comprise a list of numbersor values for an elliptic curve defining equation. A module 101 and aserver 105 could utilize a custom or non-standard elliptic curvedefining equation by sending and/or receiving a set of ECC parameters137 in a set of cryptographic parameters 126. Or, as illustrated in FIG.1i , a node could select an ECC standard curve 138 from a list in a setof cryptographic parameters 126. A set of cryptographic parameters 126could include a private key length 126 e for deriving a module privatekey 112. A node could take similar steps for selecting an option from alist of available options for other fields as well in a set ofcryptographic parameters 126 such as, but not limited to, symmetricciphering algorithms 141 b, secured hash algorithms 141 c, etc. asillustrated in FIG. 1i , in order to derive a subset of cryptographicparameters 126 a.

General parameters 126 b can include a list of values that can beutilized in a set of cryptographic algorithms 141. General parameters126 could specify values for using and/or the format of (i) a securitytoken 410, (ii) an algorithm for processing an encrypted module identitystring 110 a, (iii) a certificate 122, (iv) a public key identity 111 a,(v) the authentication means of a derived public key 111 in a step 517depicted and described below in connection with FIG. 5b , (vi) a paddingscheme 126 c for the set of cryptographic algorithms 141, and/or (vii)key encoding rules 126 d. Key encoding rules 126 d can specify theformat for sending and receiving a public key, such as the format of aderived module public key 111 sent to a server 105 in a step 516depicted and described in connection with FIG. 5b below. Numeralsdepicted in FIG. 1i with a general parameters 126 b include a “′” soshow an association with the fields shown, as opposed to comprising theelements themselves. For example, the value of “security token length: 8bytes” in a general parameters 126 b with a label of “401′” illustratesthe value of “security token length: 8 bytes” is associated with asecurity token 401 as opposed to being an exemplary the value for asecurity token 401. Likewise, the value of “Public Key Identity: yes”with a label of 111 a′ illustrates that a general parameters 126 b canspecify a value for using a public key identity 111 a as opposed to apublic key identity 111 a comprising a value of “Public Key Identity:yes”, etc.

Within a general parameters 126 b in a set or subset of a cryptographicparameters 126, a field associated with module identity 110, illustratedas “110′”, can specify an algorithm to use for ciphering or obfuscatinga module identity 110. A general parameters 126 b could specify the useof a secret ciphering algorithm ciphering 161 for encrypting a moduleidentity 110. In an exemplary embodiment, the general parameters 126 bcan specify the method of authentication for a derived module public key111, where the module 101 could use a step 517 below. Exemplary valuesin a general parameters 126 b for the authentication of a derived modulepublic key 111 include, but are not limited to, message digest with asecret key, ciphering with a symmetric key 127, authenticating with apre-shared public key, and module 101 sending a module digital signature405 depicted and described in connection with FIG. 4 below. Inaccordance with preferred exemplary embodiments, a set of cryptographicparameters 126, possibly in a set of general parameters 126 b, caninclude both (i) values for a module 101 to use with a set ofcryptographic parameters 141 for deriving a new module public key 111and new module private key 112, and (ii) steps or values for a module101 to authenticate the new, derived module public key 111 with a server105.

The set of cryptographic parameters 126 illustrated in FIG. 1i for amodule 101 and the subset of cryptographic parameters 126 a may bedifferent than conventional technology, since the module 101 can selectappropriate parameters or values for deriving its own module public key111 and module private key 112, as well as changing the parameters orvalues over time for the generation of subsequent or new module publickeys 111 and module private keys 112. Although not illustrated in FIG.1i , general parameters 126 b could also include a time value for module101 to refresh the set of cryptographic parameters 126 with server 105,such as periodically checking for a change in a preferred set ofcryptographic parameters 126. In order to minimize bandwidth and alsopower consumption for a module 101, an exemplary time value for module101 to check with server 105 for a new set of cryptographic parameters126 could be an exemplary every 30 days. In another embodiment, server105 could simply send a new set of cryptographic parameters 126 tomodule 101 each time new values may applicable.

As contemplated herein, a module 101 may be deployed with a monitoredunit 119 for an extended period such as several years or longer, and amodule public key 111 with a limited validity date could expire. In thiscase, after an extended period such as years, a preferred set ofcryptographic parameters 126 could change, such as movement to longerprivate key lengths 126 e, or the use of a new set of ECC standardcurves 138. In this case, when a new module public key 111 is required,possibly due to the expiration of a prior module public key 111, module101 could receive a new set of cryptographic parameters 126 and send asubset of the cryptographic parameters 126 a before deriving a newmodule private key 112 and a new module public key 111 using the subsetof cryptographic parameters 126 a and a set of cryptographic algorithms141. In exemplary embodiments, a set of cryptographic parameters 126 orsubset of cryptographic parameters 126 a used by a module 101 can changeover time.

A set of cryptographic parameters 126 could specify additionalinformation to the exemplary data shown in FIG. 1i . Within a set ofgeneral parameters 126 b, a name or address of a certificate authority118 could be included, where module 101 could send a module public key111 derived using a step 515 depicted and described in connection withFIG. 5b . A set of cryptographic parameters 126 could include othernames and addresses of servers, such as a first server 105 in a set ofservers 1010 where module 101 would first authenticate module identity110 and obtain a symmetric key 127, and module 101 could thencommunicate with a second server 105 using the symmetric key 127. A setof cryptographic parameters 126 could specify that the source of newmodule private key 112 and module public key 111 could be internallyderived by module 101, as opposed to module 101 seeking a new moduleprivate key 112 from a local source, such as via a local network or aphysical interface such as USB interface 101 v. In addition, a set ofcryptographic parameters 126 could include values for a random numbergenerator 128, such as specifying the use of a seed 128 b, or a moduleseed file 139, or the minimum length of a random number 128 a. Inaddition, a plurality of different shared secret algorithms 141 g andsecret ciphering algorithms 141 h could be used by a module 101 and aserver 105, and specific shared secret algorithms 141 g and secretciphering algorithms 141 h can be selected in a set of cryptographicparameters 126.

In exemplary embodiments, although not illustrated in FIG. 1i , a set ofcryptographic parameters 126 or 126 a can specify the use of multiplemodule private keys 112 and module public keys 111 concurrently. In anexemplary embodiment, a module 101 could use a first module private key111 with asymmetric ciphering algorithms 141 a for receiving symmetrickeys 127, and a second module private key 111 for deriving orcalculating a module digital signature 405 (in FIG. 4 below). Further, amodule 101 could communicate with a plurality of servers 105, where afirst server 105 could use a first set of cryptographic parameters 126and a second server could use a second and different set ofcryptographic parameters 126. In order to maintain compatibility withthe different servers 105, a module 101 could use (i) a first moduleprivate key 112 and first module public key 111 that was derived usingthe first set of cryptographic parameters 126 for communicating with thefirst server 105, and (ii) a second module private key 112 and secondmodule public key 111 that was derived using the second set ofcryptographic parameters 126 for communicating with the second server105. In order to keep track of potentially multiple sets ofcryptographic parameters 126 and/or subsets of cryptographic parameters126 a, a module 101 and/or a server 105 could implement a set ofcryptographic parameters token 126 c. The token 126 c, illustrated as anexemplary “Set A” in FIG. 1i , can be a value to represent a collectionof cryptographic parameters 126, and subsequently either module 101 orserver 105 could refer to the set of cryptographic parameters 126 usingthe set of cryptographic parameters token 126 c instead of communicatingthe full set of cryptographic parameters 126.

As contemplated herein, a set of cryptographic parameters 126 could alsoinclude values for a module 101 to authenticate or communicate with oneor multiple wireless networks 102. In an embodiment, a wireless network102 could require a specific symmetric ciphering algorithm 141 b, andalso a specific key derivation function 141 f for generating derivedshared keys 129 b, and the specific values needed for module 101 tocommunicate with a wireless network 102 could be sent in a set ofcryptographic parameters 126. Other possibilities exist as well to thoseof ordinary skill in the art without departing from the scope of thepresent invention.

FIG. 1j

FIG. 1j is an illustration of a certificate that includes a PKI publickey, where the key comprises an elliptic curve cryptography key, inaccordance with exemplary embodiments. Public and private keys in system100 and other systems contemplated herein can utilize PKI techniquesother than RSA, such as the elliptic curve cryptography (ECC) public key111 illustrated in FIG. 1h . One benefit of using ECC is that anequivalent level of security can be obtained for a much smaller keylength. Also, energy may be conserved using ECC algorithms 154 comparedto RSA algorithms 153. An analysis of the energy conserved forciphering, deciphering, signing, and verifying messages using ECC versusRSA is included in the paper titled “Energy Analysis of Public-KeyCryptography on Small Wireless Devices” by Wander et al (hereinincorporated by reference). Smaller key lengths save bandwidth, memory,processing resources, and power, which are all valuable for a module 101to conserve a battery 101 k and usage of radio-frequency spectrum. Forexample, an ECC key length of 283 bits provides security similar to anRSA key length of approximately 2048 bits. Module public key 111 cancomprise an ECC key in an X.509 certificate, as illustrated in FIG. 1 g.

Certificate 122 could include a signature 123, where signature 123 canbe signed using ECC signature techniques, such as the Elliptic CurveDigital Signature Algorithm (ECDSA) 158 with a secure hash such asSHA256 156. A signature 123 in a certificate 122 containing an ellipticpublic key 111 could also be signed using a DSA algorithm 167. In orderto generate signature 123, the private key associated with either CA 118or module provider 109 may also be an ECC-based private key (for ECDSA158). Note that the public key 111 in a certificate 122 could use adifferent asymmetric ciphering algorithm 141 a than the algorithm usedfor signing, such that the public key 111 can be an ECC key, while thesignature 123 could be generated with RSA algorithm 153 and/or key.Certificate 122 may also include a subset of cryptographic parameters126 a (or “parameters 126 a”), where parameters 126 a can specify anelliptic curve utilized with the module public key 111. Parameters 126 acould also include the start and end times for the validity of eitherpublic key 111 or certificate 122. Other parameters 126 a can beutilized in a certificate 122 as well, including parameters 126 arecording a modulus for an RSA algorithm 153.

Certificate 122 illustrated in FIG. 1g also illustrates an exemplaryembodiment of the present invention. Over the lifetime of a module 101,which could be a decade or longer, multiple module public keys 111 maybe utilized. Exemplary reasons for the potential use of multipledifferent module public keys 111 include (i) the expiration of acertificate 122 (including expiration of a public key associated with acertificate authority 118 used in signature 123), (ii) a need to changean elliptic curve specified in a parameters 126, (iii) adding a newpublic/private key pair for connection with a different wireless network102, (iv) as increasing a key length utilized in a public/private keypair, (v) the transfer of ownership or control of module 101, and/or(vi) module 101 connecting to a new server 105 that utilizes a differentasymmetric ciphering algorithm (i.e. RSA instead of ECC). Otherpossibilities exist as well for reasons a module to derive a new modulepublic key 111. Note that the multiple module public keys 111 may alsobe utilized concurrently, such that (i) a first module public key 111 ina first certificate 102 can be utilized with a first server 105, and(ii) a second module public key 111 (possibly derived using a differentset of parameters 126 including using a different elliptic curve orasymmetric ciphering algorithm) can be utilized with a second server 105and/or wireless network 102.

In either case of (i) module 101 using multiple module public keys 111concurrently, or (ii) module 101 using different module public keys 111in sequence, a certificate 122 can preferably include a module publickey identity 111 a to specify the module public key 111 utilized in acertificate 122. As illustrated in FIG. 1j , the module public keyidentity 111 a could be included in the CN field, and the moduleidentity 110 can be included in the OU field. Alternatively, the modulepublic key identity 111 a and module identity 110 can be appendedtogether and used in the CN field. In this manner and according topreferred exemplary embodiments, a module public key identity 111 a isutilized with both a module identity 110 and a module public key 111within a certificate 122. Also, as noted previously herein, the use of acertificate 122 may optionally be omitted, such that module 101 andserver 105 share public keys without using certificates 122, or a server105 could use a certificate 122 and module 101 may omit a certificate122 and other possibilities exist as well.

FIG. 1k

FIG. 1k is a graphical illustration of hardware, firmware, and softwarecomponents for a server, in accordance with exemplary embodiments. Theillustrated components for the server 105 in FIG. 1k include a centralprocessing unit (CPU) 105 b, a random access memory (RAM) 105 e, asystem bus 105 d, storage 105 m, an operating system 105 h, and a modulecontroller 105 x. These elements can provide functions equivalent to thecentral processing unit (CPU) 101 b, RAM 101 e, system bus 101 d, flashmemory 101 w, and an operating system 101 h described above in FIG. 1b ,respectively. In general, a server 105 can have higher-end componentssuch as, but not limited to, a larger CPU 105 b and greater RANI 105 ein order to support communications with a plurality of modules 101.Server 105 can comprise a general purpose computer such as, but notlimited to, a rack mounted server within a data center or rack, or couldalso comprise a desktop computer or laptop. Server 105 could also be aspecialized computer, with hardware and software selected for supportinga plurality of modules 101 connecting and communicating simultaneously.Operating system 101 h can comprise an operating system appropriate fora server such as, but not limited to, Linux, Solaris®, or Windows®Server. Server 105 can preferably include at least one wired Ethernetconnection with high bandwidth that is persistently connected to the IPNetwork 107, while the IP Network 107 connection for module 101 may betransient as module 101 changes between sleep and active states. Modulecontroller 105 x can provide the server-side logic for managingcommunications and controlling module 101 using a module database 105 k.Network controller 105 i can provide functionality for communicatingwith external servers or nodes, such as, but not limited to, a wirelessnetwork 102 illustrated in FIG. 1 a.

A module controller 105 x and network controller 105 i may beapplications programmed in a language such as, but not limited to, C,C++, Java, or Python and could provide functionality to supportauthentication and communication with modules 101, including M2Mapplications such as, but not limited to, remote monitoring of sensorsand remote activation of actuators. Module controller 105 x and networkcontroller 105 i could also be software routines, subroutines, linkedlibraries, or software modules, according to preferred embodiments. Manyof the logical steps for operation of server 105, module controller 105x, and/or network controller 105 i can be performed in software andhardware by various combinations of physical interface 105 a, system bus105 d, device driver 105 g, and operating system 105 h. A modulecontroller 105 x and network controller 105 i can also access a set ofcryptographic algorithms 141 (in FIG. 1d above) in order (i) to encryptand decrypt data, and also (ii) process or generate a digital signatureand verify received digital signatures, including message digestauthentication. When server 105 is described herein as performingvarious actions such as, but not limited to, acquiring an IP address,monitoring a port, transmitting or sending a packet, receiving amessage, or encrypting or signing a message, specifying herein thatserver 105 performs an action can refer to software, hardware, and/orfirmware operating within server 105 performing the action. Ascontemplated herein, when a server 105 is described as performing anaction such as, but not limited to, sending a response, receiving amessage, verifying a digital signature, decrypting data, etc., in someembodiments a set of servers 1010 (illustrated in FIG. 10) can performthe actions for the server 105. In this case, a server 105 could be amember of the set of servers 1010.

The server 105 may store computer executable instructions such as, butnot limited to, module controller 105 x or network controller 105 i onstorage 105 m. Storage 105 m may comprise a disk drive, a solid-statedrive, an optical drive, or a disk array. Module controller 105 x (i)can manage communications with module 101 or a plurality of modules 101and (ii) may be downloaded and installed on the server 105. As notedpreviously and elsewhere herein, module program 101 i and modulecontroller 105 x can preferably interoperate with each other in order tocollect sensor data and control an actuator associated with a monitoredunit 119.

The network controller 105 i and/or module controller 105 x operatingwithin server 105 illustrated in FIG. 1k can provide computer executableinstructions to hardware such as CPU 105 b through a system bus 105 d inorder to (i) receive a message from the module 101 and (ii) send aresponse, wherein the message can include sensor 101 f data and theresponse can include an acknowledgement of the message and/or aninstruction to the module 101. The module controller 105 x can enablethe server 105 to send a response to a message from module 101 byrecording data associated with module 101 in memory such as RAM 105 e,where the data can include an instruction from module 101, a destinationIP:port number, a packet or packet header value, and the data can beprocessed using an encryption or ciphering algorithm or key, a digitalsignature algorithm or key, etc. The operating system 105 h or thedevice driver 105 g can write the data from RAM 105 e to a physicalinterface 105 a using a system bus 105 d and an Ethernet connection inorder to send the data via the IP Network 107 illustrated in FIG. 1a .Alternatively, the software program 105 i and/or module controller 105 xcan write the data directly to the physical interface 105 a using thesystem bus 105 d.

The server 105 can utilize the physical interface 105 a to receive datafrom a module 101 and/or wireless network 102 using a local area networksuch as Ethernet, although the physical interface 105 a of server 105could also utilize a wireless connection. The server 105 can listen ormonitor for data from the IP Network 107 using port number and/or aTCP/UDP socket. The received data from a module 101 can be a messageformatted according to an Internet packet or datagram or series ofdatagrams inside Ethernet packets and include information from a module101 such as, but not limited to, a source IP address and port number, anidentity of the module, sensor data that may be encrypted, and/or adigital signature of the module. The received data from wireless network102 can comprise a series of datagrams formatted according to InternetProtocol and/or datagrams inside Ethernet packets. The received data ormessage from wireless network 102 can include information regardingwireless network 102 and/or server 105, such as a source IP address andport number associated with wireless network 102, an identity of theserver, actuator instructions or commands for a module 101 that may beencrypted, and a digital signature associated with the wireless network102.

When server 105 receives messages or data, the operating system 105 h ordevice driver 105 g can record the received data from module 101 orwireless network 102 via physical interface 105 a into memory such asRAM 105 e. The network controller 105 i or operating system 105 h maysubsequently access the memory in order to process the data received.The network controller 105 i and/or module controller 105 x, oroperating system 105 h can include steps to process the data recorded inmemory and received from the module 101 or wireless network 102, suchas, but not limited to, parsing the received packet, decrypting data,verifying a digital signature with a key, or decoding sensor dataincluded in a message from the module.

The server 105 and/or network controller 105 i may communicate withwireless network 102 by sending and receiving packets over a LAN or theIP Network 107, using a physical interface 105 a and a wired connectionsuch as Ethernet or possibly a wireless connection as well. The server105 can use the physical interface 105 a such as an Ethernet connectionto send and receive the data from the IP Network 107. For those skilledin the art, other steps are possible as well for an network controller105 i or operating system 105 h within a server 105 to (i) send/receivea packet or message to/from a module 101 and (ii) send/receive a packetor message to/from an wireless network 102 without departing from thescope of the present invention. Network controller 105 i and modulecontroller 105 x may optionally be combined within a server 105, oralternatively distributed across different physical computers andfunction in a coordinated manner using a network.

The device drivers 105 g, operating systems 105 h, and/or modulecontroller 105 x could also optionally be combined into an integratedsystem for providing the server 105 functionality. Although a singlephysical interface 105 a, device-driver set 105 g, operating system 105h, module controller 105 x, and network controller 105 i are illustratedin FIG. 1k for server 105, server 105 may contain multiple physicalinterfaces, device drivers, operating systems, software programs, moduleprograms, and/or user interfaces. Server 105 may operate in adistributed environment, such that multiple computers operate inconjunction through a network to provide the functionality of server105. Also, server 105 may operate in a “virtualized” environment, whereserver 105 shares physical resources such as a physical CPU 105 b withother processes operating on the same computer. And other arrangementscould be used as well, without departing from the invention.

FIG. 1m

FIG. 1m is a graphical illustration of components within a server, inaccordance with exemplary embodiments. Server 105 can include a moduledatabase 105 k, a sub-server 105 w, and a message preprocessor 105 y.Server 105 can also include one or many sets of cryptographic parameters126, a secret ciphering algorithm ciphering 161, and a secret cipheringalgorithm deciphering 162. In an exemplary embodiment, the elementsillustrated within a server 105 in FIG. 1m may be stored in volatilememory such as RAM 105 e, and/or storage 105 m, and may also beaccessible to a processor CPU 105 b via a system bus 105 d. In anotherexemplary embodiment, the module database 105 k, sub-server 105 w, andmessage processor 105 y can comprise separate computers. Module database105 k, sub-server 105 w, and message preprocessor 105 y could representeither different processes or threads operating on a server 105, orphysically separate computers operating in conjunction over a network toperform the functions of a server 105. Since server 105 can preferablysupport communications with a plurality of modules 101, server 105 canutilize module database 105 k to store and query data regarding aplurality of modules 101, monitored units 119, and the overall M2Mservice. The server 105 can store a plurality of module public keys 111associated with each of a plurality of devices in the module database105 k. The server 105 can also store a plurality of shared secretnetwork keys K 129 d associated with each of a plurality of modules,where secret shared network key K 129 d is also depicted and describedin connection with FIGS. 9b and 11. The server 105 can use a moduleidentity 110, possibly in the form of a network module identity 110 b,for a module 101, received in a message to query the module database 105k and select the public key 111, secret shared network key K 129 d, asymmetric key 127, and other data associated with the module 101.

Although not illustrated in FIG. 1m , module database 105 k can alsorecord a pre-shared secret key code 134, a set of cryptographicparameters 126 or 126 a, and a module identity 110 for each module 101,along with the pre-shared secret key 129 a shown in FIG. 1m . Inembodiments where server 105 functions as a home subscriber server(HSS), module database 105 could record authentication triplets of aRAND 912, an RES 913 (both described in FIG. 9b below), and also anetwork authentication token. Examples of module database 105 k couldinclude MySQL, Oracle®, SQLite, hash tables, distributed hash tables,text files, etc. Module database 105 k could reside within RAM 105 e orstorage 105 m. Server 105 may also record a symmetric key 127, where thesymmetric key 127 can be associated with an expiration time 133.Symmetric key 127 can also be recorded in a module database 105 k or asub-server 105 w.

Message preprocessor 105 y can process incoming packets and route themto an appropriate sub-server 105 w using information contained in anincoming message, such as, but not limited to, a module identity 110 or110 b, a server identity 206 illustrated in FIG. 2 below, and/or adestination IP address. Sub-server 105 w can include a server privatekey 105 c and cryptographic algorithms 141. A plurality of sub-servers105 w can be utilized by a server 105 in order to support communicationwith a plurality of modules 101. The server private key 105 c and modulepublic key 111 can be utilized by module 101 to secure communicationwith server 105, including the steps depicted and described inconnection with FIG. 4 and FIG. 5a below. Cryptographic algorithms 141may comprise a suite of algorithms or subroutines and are depicted anddescribed in connection with FIG. 1 d.

Server 105 may also comprise a collection of individual computers, wherethe individual computers could be either centrally located orgeographically dispersed, but the individual computers may function in acoordinated manner over a network to operate as a server 105. Server 105may be a “virtualized” server, with computing resources shared withother processes operating on a computer. A server 105 as illustrated inFIG. 1k and FIG. 1m may also be operated by a wireless network 102.Wireless network 102 could belong to or be associated with a mobilenetwork operator 108. The mobile network operator (MNO) could controland/or own a public land mobile network (PLMN), and exemplary large MNOsin the United States in 2013 include AT&T® and Verizon®. The wirelessnetwork 102 as illustrated in FIG. 1a could comprise the radio accessportion of a mobile network operator's network, and a server 105 asillustrated in FIG. 1k and FIG. 1m could reside within the networkportion for a mobile network operator. In the embodiments where server105 is located on a mobile network operator's 108 network, the firewall104 could optionally be omitted, such that a server 105 can directlycommunicate with module 101 when module 101 is attached or connected to,or attempts to attach or connect to wireless network 102. Otherpossibilities exist as well for a server 105 to reside within a mobilenetwork operator's 108 network without departing from the scope of thepresent invention.

FIG. 2

FIG. 2 is a graphical illustration of an exemplary system, where amodule sends a message to a server, and where the module receives aresponse to the message, in accordance with exemplary embodiments.Module 101 as depicted and described in FIG. 2 can operate as a wirelessmodule 101, although a wired connection to the IP Network 107 couldalternatively be utilized. System 100 as illustrated in FIG. 2 includesRF signals 201, module IP address 202, port number 203, module IP:port204, server port number 205, server ID 206, server IP:port number 207,message 208, response 209, wireless network firewall address 210, andfirewall port binding packet 211. Many of the elements illustratedwithin system 100 in FIG. 2 are also depicted and described inconnection with FIG. 2 of U.S. patent application Ser. No. 14/039,401(the contents of which are hereby incorporated by reference in theirentirety). As contemplated herein, a wireless module 101 can comprise amodule 101, or in other words a wireless module 101 may be a module 101that is wireless. Functions described as being performed by a wirelessmodule 101 may also be performed by a wired module 101 (where connectionto a wired network would be used instead of connection to a wirelessnetwork 102). Also as contemplated herein and illustrated in FIG. 2, thewording “module 101 sends a message 208” can also be consideredequivalent to “server 105 receives a message 208”. Likewise, the wording“server 105 sends a response 209” can be considered equivalent to“module 101 receives a response 209”.

A wireless module 101 can wake from a dormant state in order perform (i)remote and automated monitoring and (ii) control functions such as, butnot limited to, collecting a sensor 101 f measurement, communicatingwith server 105, and controlling an actuator 101 y. If module 101 isconnected to land-line power or a long-lasting external power sourcesuch solar power, then module 101 may remain in an active state andbypass a dormant state, although transmitting RF signals 201 maypreferably only be utilized when communicating with wireless network 102or sending data to and receiving data from wireless network 102 and/ormobile network operator 108. The wireless module 101 can acquire an IPaddress 202 from the wireless network 102. IP address 202 is illustratedas being an IPv6 address, but IP address 202 could also be an IPv4address.

In order to transmit or send data from wireless module 101 to server105, a wireless module 101 can use module program 101 i to collect datafrom a sensor 101 f in order to update server 105. Module program 101 ican request a port number 203 from operating system 101 h in order tohave a source IP:port for sending data using IP protocols such as, butnot limited to, TCP and UDP. The terminology “IP:port” as describedherein refers to combining an IP address with a port number. Wirelessmodule IP address 202 and port number 203 can be combined to formIP:port number 204. IP:port number 204 can be utilized as a sourceIP:port number for packets transmitted from wireless module 101, as wellas a destination IP:port number for packets received by wireless module101, when communicating with server 105.

In order to utilize IP Network 107, module 101 may also need adestination IP address and port number in order to send packets toserver 105. Before sending data to server 105, wireless module 101preferably retrieves server IP address 106 and server port number 205from RAM 101 e. Server IP address 106 could be recorded in RAM 101 e via(i) a DNS query using server name 206 or (ii) queries to mobile networkoperator 108 or wireless network 102. CPU 101 b may copy server IPaddress 106 and server port number 205 from nonvolatile memory intovolatile memory such as, but not limited to, a register for processingto send a packet to server 105. Server name 206 could also be a serveridentity. (A) Server IP address 106 or server name 206 and (B) serverport number 205 could be recorded in a nonvolatile memory such as, butnot limited to, flash memory 101 w and/or an eUICC 163 so that wirelessmodule 101 can store the proper destination of packets transmitted orsent even when wireless module is dormant or shutdown. Server IP address106 and server port number 205 can be combined into a server IP:portnumber 207.

After collecting data from a sensor, module 101 can send a packet fromIP:port 204 to IP:port 207, and the packet could comprise a message 208that may include the data from a sensor 101 f. Note that message 208does not need to include sensor data, and message could potentially be aperiodic registration message or keep-alive message. As contemplatedherein, the term “sensor measurement” can refer to data associated withor derived from a sensor 101 f. A sensor measurement, can comprise astring containing data regarding a parameter of a monitored unit 119 andcollected by a sensor 101 f. The sensor measurement as sent in a message208 can also represent a string (alphanumeric, binary, text,hexadecimal, etc.), where the string comprises a transformation orprocessing of sensor data collected by a CPU 101 b, such includingformatting, compressing, or encrypting, encoding, etc. of sensor data. A“sensor measurement” could comprise a plurality of data from a sensor101 f.

In order to minimize bandwidth and time required for RF signals 201 tobe active, module 101 can send the message 208 as a single UDP datagramin accordance with a preferred exemplary embodiment. The single UDPdatagram in this embodiment can preferably be the only packet sent frommodule 101 to server 105 or mobile network operator 108 during a wakestate for the module 101 when the radio 101 z is active andtransmitting, such as, but not limited to, in a radio resource control(RRC) connected state. In other words, according to this preferredexemplary embodiment, the message 208 sent by module 101 can preferablybe the only message or packet sent by the wireless module to the server105 between dormant periods of module 101. By sending message 208 as asingle UDP datagram, both a battery 101 k is conserved and utilizationof valuable RF spectrum is reduced. Message 208 could also comprise aseries of associated UDP messages.

Also, as contemplated herein, message 208 could comprise a relatedseries of packets, so that message 208 could comprise multipledatagrams. As one example, if TCP is utilized as the transport protocolfor message 208, then the series of TCP messages including the initialhandshake, one or more packets of payload data, and the closing of theconnection could together comprise message 208. As another example, ifUDP or UDP Lite is utilized for the transport protocol, and payload dataexceeds a maximum transmission unit (MTU) size for the UDP packet andthe payload data is spread across multiple packets, then the multiplepackets would comprise a message 208. Further, a related series ofpackets comprising a message 208 could be identified by using the samesource IP:port number as either (i) received by server 105 or (ii) sentby module 101. In addition, a related series of packets comprising afirst message 208 could be identified as a series of packets sent bymodule 101 before receiving a response 209 from a server, and packetssent after receiving a response 209 could comprise a second message 208.Other possibilities for a message 208 to comprise multiple packets ordatagrams may exist without departing from the scope of the presentinvention.

The UDP datagram for message 208 could also be formatted according tothe UDP Lite protocol, as specified in IETF RFC 3828, which is alsoincorporated by reference herein. The term “UDP Lite” described in thepresent invention may also refer to any connectionless protocol widelysupported on IP Network 107 where checksums may be partially disabled,thereby supporting the transfer of bit errors within a datagram. Theadvantages of UDP over TCP is that UDP can be quickly sent, while TCPrequires a “handshake” with the server which requires more time andbandwidth, which would utilize more energy from battery 101 k. Accordingto an exemplary embodiment, both message 208 and response 209 can be TCPmessages. In this exemplary embodiment, message 208 and response 209could each comprise a series of TCP messages that can include a TCP SYN,SYN ACK, ACK, ACK w/data, FIN ACK, etc.

According to an exemplary embodiment, module 101 sends (and server 105receives) the same sensor data in multiple copies of the same UDPpacket. Each of the multiple copies of the same UDP packet can alsooptionally be formatted according to the UDP Lite protocol. As oneexample, wireless module sends three identical copies of the UDP or UDPLite packet that include the same sensor data. The benefit of sendingthree copies of UDP Lite include (i) the RF signals 201 received by thebase station 103 could include bit errors, which could result in aregular (RFC 768) UDP packet being dropped, since a bit error couldresult in a UDP checksum mismatch, as received and processed by wirelessnetwork 102. Note that the use of checksums is mandatory in IPv6, andthus checksums cannot be fully disabled in IPv6. With UDP Lite packetstransmitted by wireless module 101, where the mandatory checksum forIPv6 can cover the packet header, wireless network 102 can forward allpackets received, potentially including bit errors, to server 105 overthe IP Network 107.

Server 105 can receive the multiple copies of the UDP or UDP Litepackets, which could include bit errors received, and server 105 couldcompare or combine the multiple copies or each individual UDP Litepacket in order to remove bit errors. Note that UDP Lite is notrequired, and wireless module 101 could send the message 208 using asingle UDP packet, or multiple copies of a regular UDP (i.e. non UDPLite) packet. However, using UDP Lite with multiple packets sent canprovide benefits such as if the sensor data is encrypted in the packet,then a single bit error would normally break the receiver's ability todecipher the data using a cryptographic key, unless the encrypted datawas channel coded and the channel coding could recover from the biterror in order to present an error-free input of the encrypted data to adeciphering algorithm.

Further, between periods of sleep when a wireless module 101 becomesactive and transmits RF signals 201, module 101, which may also comprisea wireless module 101, could send the sensor data in a single UDP Litepacket where the packet includes channel coding, which can also bereferred to forward error correction. Forward error correction couldalso be implemented by sending multiple copies of the same UDP packet.Note that since large segments of message 208 could include encrypted orhashed data, those segments may not be appropriate for compression sincethe data is often similar to random strings which are not readilycompressed. Channel coding techniques for the data in message 208 couldinclude block codes and convolution codes. Block codes could includeReed-Solomon, Golay, BCH, Hamming, and turbo codes. According to apreferred exemplary embodiment, data within message 208 is sent as a UDPLite packet using a turbo code to correct multiple bit errors within apacket or datagram sent by module 101 and received by server 105.

In system 100 illustrated in FIG. 2, server 105 can use IP:port 207 toreceive the packet from wireless module 101 and sent from source IP:port204 to IP:port 207, and the packet could comprise a message 208 that mayinclude the data from a sensor associated with module 101 or monitoredunit 119. As contemplated herein, a message 208 illustrated in FIG. 2does not need to include sensor data and other data could be transmittedor sent, such as, but not limited to, a server instruction 414(described in FIG. 4 below), or other data pertaining to module 101 or amonitored unit 119. Note that server 105 can use IP:port 207 to receivea plurality of messages 208 from a plurality of wireless modules 101.Server 105 preferably listens for UDP packets on IP:port 207 or monitorsIP:port 207, although TCP packets could be supported as well. If server105 receives multiple copies of the same UDP packet from module 101,server 105 preferably includes a timer to drop duplicate packetsreceived outside a timer window such as, but not limited to, anexemplary 5 seconds.

After receiving the message 208 and processing the message according tothe techniques described below such as, but not limited to, in FIG. 4,server 105 can send a response 209. Since module 101 may belong to awireless network 102 which includes a firewall 104, the source IP:portof the message 208 received by server 105 could be different from thesource IP:port 204 utilized by wireless module 101. The source IP:portin message 208 could be changed if firewall 104 performs network addresstranslation (NAT), as one example. Server 105 may not readily know if aNAT translation has been performed on the message 208. Alternatively,firewall 104 may not perform NAT, but could still block data from the IPNetwork 107 which does not properly match the firewall rules. As oneexample, firewall 104 could be a symmetric firewall (but without NATfunctionality), where only packets from IP:port 207 to IP:port 204 areallowed to pass the firewall after message 208 has been sent by module101.

In either case, where firewall 104 may or may not perform NAT routing,server 105 preferably sends the response 209 from the server IP:port 207to the source IP:port it receives in message 208. According to apreferred exemplary embodiment, response 209 is a UDP packet sent fromserver 105 with (i) a source IP:port 207 and (ii) a destination IP:portequal to the source IP:port received in message 208, as illustrated inpacket 209 a. The example use of source and destination IP:ports inmessage 208 and response 209 are also illustrated in FIG. 6a below. Inthis manner, the UDP packet can traverse a firewall 104, if firewall 104is present. If firewall 104 is present and performs NAT routing, thenfirewall 104 can receive the response 209 and change the destination IPaddress and port within response 209 to equal IP:port 204.

According to exemplary preferred embodiments, module 101 may also obtainpower from a land-line source, such as, but not limited to, atraditional 120 volt wall socket, or possibly power over Ethernet, andother non-transient power sources could be utilized as well. In thiscase, module 101 may remain persistently connected to the Internetthrough either a wireless network 102 or a wired connection such as, butnot limited to, Ethernet. In other words, module 101 may omit enteringperiods of sleep or dormancy where inbound packets from the Internetwould not be received due to the sleep state of module 101. Consequentlyin an exemplary embodiment, module 101, which does not sleep for periodslonger than a minute, may preferably periodically send a firewall portbinding packet 211 from IP:port 204 to IP:port 207 in order to keepports and addresses within a firewall 104 and/or firewall 124 open tocommunications between module 101 and server 105. Firewall port bindingpacket 211 can comprise a packet that is sent periodically using a timerinterval that is shorter than the port-binding timeout period 117 on afirewall 104 and firewall 124.

Continuing with this exemplary embodiment where module 101 does notsleep for periods longer than approximately one minute, if UDP isutilized for message 208 and response 209, then a small UDP packetcomprising firewall port binding packet 211 can be sent periodicallysuch as, but not limited to, every 45 seconds. If TCP is utilized formessage 208 and response 209, then a small TCP packet comprisingfirewall port binding packet 211 can be sent periodically such as, butnot limited to, every 4 minutes. Other possibilities for the timing ofsending firewall port binding packet 211 are possible as well. Bysending firewall port binding packet 211 periodically, server 105 cansend module 101 a response 209, (i) which could include a moduleinstruction 502 as explained in FIG. 5a , at (ii) time intervals betweenmessage 208 and response 209 that are longer than the firewall portbinding timeout values 117 of firewall 104 and/or firewall 124. Withoutfirewall port binding packet 211, if (A) a response 209 sent from server105 at an exemplary 180 seconds after receiving message 208, such as,but not limited to, after a firewall port binding timeout value 117 offirewall 104 of an exemplary 60 seconds transpired, then (B) response209 would be dropped by firewall 104 and the response 209 would not bereceived by module 101.

FIG. 3a

FIG. 3a is a flow chart illustrating exemplary steps for a module tosend sensor data to a server, in accordance with exemplary embodiments.As illustrated in FIG. 3a , FIG. 3a may include the data reporting steps101 x used by a module 101 in a module program 101 i, where datareporting steps 101 x and a module program 101 i are depicted anddescribed in connection with FIG. 1b above. The processes andoperations, including data reporting steps 101 x, described below withrespect to all of the logic flow diagrams may include the manipulationof signals by a processor and the maintenance of these signals withindata structures resident in one or more memory storage devices. For thepurposes of this discussion, a process can be generally conceived to bea sequence of computer-executed steps leading to a desired result. Thesesteps usually require physical manipulations of physical quantities.Usually, though not necessarily, these quantities take the form ofelectrical, magnetic, or optical signals capable of being stored,transferred, combined, compared, or otherwise manipulated. It isconvention for those skilled in the art to refer to representations ofthese signals as bits, bytes, words, information, elements, symbols,characters, numbers, points, data, entries, objects, images, files, orthe like. It should be kept in mind, however, that these and similarterms are associated with appropriate physical quantities for computeroperations, and that these terms are merely conventional labels appliedto physical quantities that exist within and during operation of thecomputer.

It should also be understood that manipulations within the computer areoften referred to in terms such as listing, creating, adding,calculating, comparing, moving, receiving, determining, configuring,identifying, populating, loading, performing, executing, storing etc.that are often associated with manual operations performed by a humanoperator. The operations described herein can be machine operationsperformed in conjunction with various input provided by a human operatoror user that interacts with the computer.

In addition, it should be understood that the programs, processes,methods, etc. described herein are not related or limited to anyparticular computer or apparatus. Rather, various types of generalpurpose machines may be used with the following process in accordancewith the teachings described herein.

The present invention may comprise a computer program or hardware or acombination thereof which embodies the functions described herein andillustrated in the appended flow charts. However, it should be apparentthat there could be many different ways of implementing the invention incomputer programming or hardware design, and the invention should not beconstrued as limited to any one set of computer program instructions.

Further, a skilled programmer would be able to write such a computerprogram or identify the appropriate hardware circuits to implement thedisclosed invention without difficulty based on the flow charts andassociated description in the application text, for example. Therefore,disclosure of a particular set of program code instructions or detailedhardware devices is not considered necessary for an adequateunderstanding of how to make and use the invention. The inventivefunctionality of the claimed computer implemented processes will beexplained in more detail in the following description in conjunctionwith the remaining Figures illustrating other process flows.

Further, certain steps in the processes or process flow described in allof the logic flow diagrams below must naturally precede others for thepresent invention to function as described. However, the presentinvention is not limited to the order of the steps described if suchorder or sequence does not alter the functionality of the presentinvention. That is, it is recognized that some steps may be performedbefore, after, or in parallel other steps without departing from thescope and spirit of the present invention.

The processes, operations, and steps performed by the hardware andsoftware described in this document usually include the manipulation ofsignals by a CPU or remote server and the maintenance of these signalswithin data structures resident in one or more of the local or remotememory storage devices. Such data structures impose a physicalorganization upon the collection of data stored within a memory storagedevice and represent specific electrical or magnetic elements. Thesesymbolic representations are the means used by those skilled in the artof computer programming and computer construction to most effectivelyconvey teachings and discoveries to others skilled in the art.

At step 301, before final distribution of the module to a sales channel,equipment distributors, or end users, a module private key 112 andmodule identity 110 could be recorded in non-volatile memory 101 w ofthe module 101. The module private key 112 could be a private keyformatted according to the X.500 series of standards published by theInternational Organization for Standardization (ISO) in ISO/IEC 9594 orsimilar and subsequent standards, or alternatively according to anotherformat including a propriety format. The module private key 112 could beformatted using RSA encryption algorithms or ECC encryption algorithms,and other possibilities exist as well for the format of encryptionand/or decryption keys without departing from the scope of the presentinvention. Note that step 301 contemplates an alternative to the casewhere a module 101 derives its own public and private keys using keypair generation algorithms 141 e. Thus, the present invention alsocontemplates that a module private key 112 is derived outside module 101and loaded into nonvolatile memory 101 w. Note that in this case, wheremodule private key 112 is loaded from an external source to module 101,that module 101 could still utilize other features contemplated herein,such as if module 101 needed to derive public and private keys in thefuture after the initial step 301.

Module identity 110 can be a unique identifier associated with module101, and can represent a number or a string. The module private key 112and module identity 110 could be recorded in non-volatile memory 101 wby the manufacturer, or a service provider. Alternatively, the moduleprivate key 112 and module identity 110 could be recorded innon-volatile memory 101 c by the end users. At step 302, the module isdistributed and installed in physical proximity to a monitored unit 119.Although step 301 is illustrated as occurring before step 302 accordingto an exemplary embodiment, step 301 can take place after step 302 orconcurrently with step 302, and other possibilities exist as wellwithout departing from the scope of the present invention.

After installation of the module 101, module 101 can wake from a dormantstate in step 303. The dormant state can comprise a state of low powerusage as described in FIG. 1c , in order to conserve battery life andwired bandwidth or wireless spectrum resources. As noted in FIG. 1c ,module 101 can utilize a bootloader program 125 in order to initiateoperations from a sleep or dormant state. At step 303, the moduleprivate key 112, module identity 110, server identity 206, and/or serveraddress 106 could be moved from non-volatile memory 101 w into RAM 101e. At step 304, the module 101 can read the module private key 112 andmodule identity 110 recorded in RAM 101 e, and also record the serverpublic key 114 and server IP:port 207. The server public key 114 andserver IP:port 207 could also be either locally stored previous to step304 in a non-volatile memory 101 w, or obtained through the IP Network107 via a query to mobile network operator 108. As one example, module101 could obtain the server public key 114 by establishing an Internetconnection through a network such as a wireless network 102 anddownloading the server public key 114 from server 105.

If module 101 utilizes a sleep or dormant state (according to exemplarysleep or dormant states depicted and described in connection with FIG.1c of U.S. patent application Ser. No. 14/023,181, which is hereinincorporated by reference) in order to conserve power consumption orenergy utilization, then according to a preferred exemplary embodimentat step 304, after waking, module 101 can preferably read fromnonvolatile such as a flash memory 101 w each of (i) module private key112, (ii) module identity 110, (iii) the server public key 114, (iv)server IP:port 207, and (v) data reporting steps 101 x. The location ofserver 105 could be obtained via a DNS query using the server identity206. Although not illustrated in FIG. 3a , server identity 206 andserver IP:port 207 could also be recorded in non-volatile memory at step301. Other means are possible as well for module 101 to obtain serverpublic key 114 and server IP:port 207.

At step 305, the module 101 can read data from a sensor 101 f. The datacan comprise information regarding a monitored unit 119, as illustratedin FIG. 1a . As referenced herein, the data collected at step 305 maycomprise a sensor measurement 305 or sensor data 305. At step 306, themodule can utilize cryptographic algorithms 141 to (i) encrypt the datafrom sensor 101 f using the server public key 114 and (ii) sign theencrypted data using the module private key 112. Note that a symmetricciphering algorithm 141 b may be used at step 306, but since thesymmetric key 127 may be derived using the server public key 114, thesensor data 305 can be encrypted using the server public key(indirectly) at step 306. According to a preferred exemplary embodiment,the module can add channel coding to the data resulting from the stepstaken in the previous sentence, although the channel coding canoptionally be omitted. A more detailed description of the steps forencrypting and signing data from the sensor are included in FIG. 4abelow.

After encrypting and signing sensor data, the module can send the datato the server 105 in message 208, where message 208 is formatted andsent according to a either a TCP or UDP packet. An exemplary format ofmessage 208 is also depicted and described in connection with FIG. 6below. Message 208 could be sent using the UDP Lite protocol, althoughthe message could also be sent in a TCP datagram, after completing theinitial TCP “handshakes” with server 105. Message 208 in the form of aUDP or TCP datagram can be sent from the module IP:port 204 to theserver IP:port 207. Message 208 can also comprise sending the sensordata in multiple datagrams, including two or more copies of the samedata. Although not illustrated in FIG. 3a , upon the first communicationwith a server 105, according to an exemplary embodiment, module 101 cansend a certificate 122 to server 105, where certificate 122 wouldnormally include module public key 111. Server 105 could utilize acertificate 122 to verify a module identity 110.

As illustrated in FIG. 3, the module 101 can then receive reply fromserver 105 to the message 208 in the form of a response 209. Response209 can be encrypted with the module public key 111 and signed with theserver private key 105 c, as depicted and described in connection withFIG. 5a below. An exemplary format of the response 209 is also depictedand described in connection with FIG. 6 below. The module 101 canreceive the encrypted response 209 to message 208 in a datagram 209 athat is sent from server IP:port 207 and received at module IP:port 204.

At step 307 a, the module 101 can process the response 209 by decryptingthe response 209 using the module private key 112 and cryptographicalgorithms 141. At step 307 b, module 101 can verify a digital signatureof response 209 using the server public key 114 and cryptographicalgorithms 141. Additional details regarding step 307 a and 307 b aredepicted and described in connection with FIG. 5a below. Note thatencryption of response 209 may be optionally omitted and a digitalsignature in response 209 may also be optionally omitted. Although notshown in FIG. 3a , if the module 101 cannot decrypt the response 209 orverify the digital signature of response 209, then the module 101 candrop the response 209 and optionally send message 208 again.

After the module 101 successfully processes response 209 in steps 307 aand 307 b, as shown in step 308, the module 101 can sleep the CPU 101 band/or shutdown the radio 101 z. Step 308 could comprise the module 101entering the “radio off” state 505 a as depicted and described inconnection with FIG. 6b of U.S. patent application Ser. No. 14/023,181(the contents of which are hereby incorporated by reference in theirentirety), and/or entering the “CPU off” state 505 b as described inFIG. 6c of U.S. patent application Ser. No. 14/023,181. Step 308 couldalso comprise the module 101 sending a detach message to a wirelessnetwork 102 as depicted and described in connection with FIG. 6a of U.S.patent application Ser. No. 14/023,181. Thus, according to a preferredexemplary embodiment, module 101 can omit sending or receiving anyfurther radio resource control messages after processing the encryptedand/or signed response 209, when completing step 308.

After entering the sleep state in step 308, the module can thenperiodically check a sleep timer at step 309, and wake from sleep if thetimer has expired and report subsequent data from a sensor 101 f to aserver 105 by returning to step 305.

FIG. 3b

FIG. 3b is a graphical illustration of components within a receivedprofile and an activated profile for an embedded universal integratedcircuit card (eUICC), in accordance with exemplary embodiments. The needfor supporting M2M applications, where swapping out a SIM card or UICCcard may not be practical, supports the use of an alternative embeddeduniversal integrated circuit card (eUICC). Note that the development ofan eUICC for M2M applications could extend to mobile phones and smartphones generally in the future, such that a SIM card or UICC would notneed to be distributed to end users for insertion into mobile phones orM2M devices, thereby reducing costs and increasing the flexibility ofmodules 101 to quickly and easily connect with different wirelessnetworks 102. In September of 2013, ETSI published an outline of therequirements for an eUICC specification in ETSI TS 103 383 v12.2.0,while many of the implementation details remain under study and reviewas of November 2013. ETSI technical specification TS 103 383 v12.2.0 isherein incorporated by reference in its entirety.

A primary feature of an eUICC 163 can be the automated and remotehandling of network access credentials. An eUICC 163 can supportsubscriber and user equipment access a wireless network 102 such as aPLMN that supports ETSI standards such as LTE and future mobile operatornetworks. The electronic distribution of network access credentials suchas the traditional Ki or K pre-shared secret key in mobile networksfaces significant security challenges in the form of a profile for aneUICC 163. FIG. 3b illustrates an exemplary embodiment, where theinternal derivation of a module private key 112 and a module public key111 in the present invention can provide in a secure and flexible mannereither (i) essential network access credentials directly (where networkaccess credentials can use a module private key 112 and module publickey 111), or (ii) the support of the derivation of a secret sharednetwork key K 129 d (thereby allowing network access credentials toremain both secure and fully compatible with deployed wireless networksreliant on key K).

A received eUICC profile 311 could provide information for connecting toa wireless network 102. A received eUICC profile 311 can include much orall of the same information available to a module 101 from a traditionalphysical SIM card or UICC. The received eUICC profile 311 can comprise aprofile for the eUICC 163 that is received by module 101. The module 101can receive the profile 311 via a radio 101 z or a network interface 101a such as a usb interface 101 v (in embodiments where a manufacturers,distributor, module provider 109, or end user load an initial receivedprofile 311). An eUICC 163 can support multiple profiles in order for amodule 101 to connect with multiple different wireless networks 102 thatsupport ETSI and similar standards for wireless WANs. A received eUICCprofile 311 could also comprise a file or a set of data that isencrypted using any of a symmetric ciphering algorithm 141 b, anasymmetric ciphering algorithm 141 a, or potentially a secret cipheringalgorithm 141 h. The file or set of data which includes network accesscredentials 312 for a wireless network 102 can comprise a received eUICCprofile 311. The encryption of a received eUICC profile 311 is notillustrated in FIG. 3b , and for clarity the received eUICC profile 311is illustrated in FIG. 3b in plaintext form. As contemplated herein,received eUICC profile 311 may be referred to as profile 311, andactivated eUICC profile 311 may be referred to as profile 313. Profile311 can be a file or set of data that is (i) received by module 101 and(ii) includes network access credentials 312. Profile 313 can be a fileor set of data that is (i) selected and/or activated by module 101 in aprofile activation step 316, and (ii) includes network accesscredentials 314.

In addition, according to a preferred exemplary embodiment, a receivedeUICC profile 311 is encrypted with a symmetric ciphering algorithm 141b and a derived shared secret key 129 b as a symmetric key 127 for thesymmetric ciphering algorithm 141 b. The derived shared secret key 129 bcould be derived using a key derivation function 141 f and input of atleast an initial module private key 112 b. The key derivation function141 f could comprise an ECDH 159 key exchange, such that the networkpublic key 165 b could also be input into the key derivation function,where the cryptographic parameters for an ECDH 159 comprise a base pointG. Consequently, in an exemplary embodiment, module 101 can receive theprofile 311 and decrypt the profile 311 using the initial module privatekey 112 b. In other words, the initial module private key 112 b can beinput into an ECDH 159, and the resulting derived shared secret key 129b (which would be mutually derived by a server 105) could be used with asymmetric ciphering algorithm 141 b for a module 101 to decrypt thereceived profile 311. In another embodiment, the initial module privatekey 112 b could comprise a symmetric ciphering key 127, such that module101 can decrypt the profile 311 directly using the initial moduleprivate key 112 b and a symmetric ciphering algorithm 141 b (and aserver 105 associated with an eUICC subscription manager 164 couldencrypt the profile 311 using the initial module private key 112 b.

In exemplary embodiments, the received eUICC profile 311 can include ashared secret key 510, where the shared secret key 510 can be used toauthenticate a derived module public key 111 in a set of activatedmobile network operator (MNO) network access credentials 314 after aprofile activation step 316. A shared secret key 510 is also depictedand described in further detail in connection with FIG. 5b below. Ashared secret key 510 within a received eUICC profile 311 may beoptionally omitted, and an initial key K 325 could be used by module 101to securely and/or authoritatively send a derived module public key 111(and/or a key K module token 1103) to a wireless network 102, asdepicted and described in FIG. 5b , FIG. 7, and FIG. 9b below.

In exemplary embodiments, the received eUICC profile 311 can include aninitial key K 325, which could comprise a standard shared secret key Kfor accessing wireless network 102 (such as a key K contemplated in 3GPPTS 33.401 V12.9.0 FIGS. 6.2-1 and related standards). The initial key K325 with network module identity 110 b can be used by module 101 toinitially connect with wireless network 102. Upon or after the initialconnection from module 101, wireless network 102 can receivecryptographic data from module 101 such as, but not limited to, aderived module public key 111 and/or a key K module token 1103 (depictedand described in connection with FIG. 11 below). After sending thecryptographic data using the initial key K 325, module 101 and mobilenetwork operator 108 could mutually derive the new secret shared networkkey K 129 d illustrated in FIG. 3b (using steps depicted and describedin connection with FIG. 9b and FIG. 11 below). Module 101 and mobilenetwork operator 108 could subsequently (i) record the derived, secretshared network key K 129 d recorded by a module 101 within an activatedeUICC profile 313 in an eUICC 163, and (ii) use the derived, secretshared network key K 129 d with the network module identity 110 b as aset of activated mobile network operator network access credentials 314.Additional details for using a module private key 112, module public key111, and a key K module token 1103 in order to derive a mutually sharedsecret shared network key K 129 d is depicted and described inadditional Figures below.

As contemplated herein, a received eUICC profile 311 and an activatedeUICC profile 313 can comprise versions or subsets of profiles for aneUICC contemplated in ETSI specification TS 103 383 v12.2.0 and relatedstandards. Also as contemplated herein, a received eUICC profile 311 canbe referred to as a “received profile”, and likewise an activated eUICCprofile 313 below can be referred to as an “activated profile”. Areceived eUICC profile 311 can include a set of cryptographic parameters126, a set of network parameters 310, and a received mobile networkoperator (MNO) network access credentials 312. The received MNO networkaccess credentials 312 could include a network module identity 110 b,and the network module identity 110 b could comprise an IMSI number orsimilar network identifier. In an exemplary preferred embodiment, thereceived MNO network access credentials 312 does not include a moduleprivate key 112 and corresponding module public key 111, and these keyscan be derived by a module 101 and subsequently included in an activatedeUICC profile 313 below. The received MNO network access credentials 312can include an initial key K 325 for initial communication with awireless network 102 for a mobile network operator 108. A set ofcryptographic parameters 126 are depicted and described in connectionwith FIG. 1d and FIG. 1i and other Figures herein.

The set of network parameters 310 could comprise a list of values andsettings for a module 101 to utilize in connecting with a mobile network101. The settings could include a list of numbers or strings for valuessuch as (i) allowed frequencies or frequency bands to scan, (ii)preferred access lists for roaming onto other wireless networks, (iii)criteria for a module 101 to select base stations in idle mode, (iv)support for emergency services, (v) supported languages or characterencoding, etc. While a received eUICC profile 311 is activated, thenetwork module identity 110 b can be uniquely associated with a moduleidentity 110, and thus a network module identity 110 b could comprise amodule identity 110, in order to identify module 101 with a wirelessnetwork 102. A received eUICC profile 311 could also include a networkpublic key 165 b, which could provide functionality equivalent for aserver public key 114, with additional differences between a networkpublic key 165 b and a server public key 114 could be (i) network publickey 165 b can be associated with entities such as MNO 108 or eUICCsubscription manager 164, and (ii) network public key 165 b can beassociated with network private key 165 a. Network public key 165 bcould also be associated with a plurality or collection of servers 105,such as the set of servers 1010 illustrated in FIG. 10, while a serverpublic key 114 could be associated with a particular server 105. Asillustrated in FIG. 1c , the network public key 165 b can be recorded inthe eUICC 163 directly instead of within a received eUICC profile 313,and other possibilities exist as well without departing from the scopeof the present invention.

In exemplary embodiments, a received eUICC profile 311 could be storedor recorded in a nonvolatile memory of module 101 such as, but notlimited to, a flash memory 101 w. An initial, first received eUICCprofile 311 could be loaded into an eUICC 163 of module 101 by amanufacturer during manufacturing of module 101, a distributor duringdistribution of module 101, or a technician or end-user uponinstallation or receipt of module 101. The initial, first received eUICCprofile 311 could also be recorded in a nonvolatile memory such as a ROM101 c, and a manufacturer or module provider 109 could write theinitial, first received eUICC profile into the ROM 101 c beforedistribution, and other possibilities exist as well. Note that andadditional, second received eUICC profile 311 (or a plurality ofreceived eUICC profiles 311) could be received by a module 101 afterconnection to an initial wireless network 102 using the initial, firstreceived eUICC profile 311. Other possibilities exist as well for amodule 101 to receive and record a received eUICC profile 311 withoutdeparting from the scope of the present invention. The second, receivedeUICC profile 311 could be received by a module 101 from an eUICCsubscription manager 164 (such as in a response 209 from a server 105operated by a subscription manager 164).

A module 101 could convert a received eUICC profile 311 into anactivated eUICC profile 313, after waking from a dormant state in orderto connect with an initial wireless network 102 using a profileactivation 316 step. For a profile activation 316 step, a module 101could populate or provide the received MNO network access credentials312 with a derived module private key 112 and a derived module publickey 111. In this manner, a profile activation step 316 can take a stepto convert a received eUICC profile 311 into an activated eUICC profile313, and other steps for activation of a received eUICC profile 311 maybe required as well. Within a profile activation step 316, a module 101could use the set of cryptographic parameters 126 within the receivedeUICC profile 311 and a set of cryptographic algorithms 141, including akey pair generation algorithm 141 e and a random number generator 128 inorder to derive the module private key 112 and a corresponding modulepublic key 111. The processing, generation, and/or derivation by amodule 101 of a module PKI key pair 315 in a profile activation step 316is also depicted and described in further detail along with a step 515in FIG. 5b below.

The derived module private key 112 and derived module public key 111could comprise a first derived module PKI key pair 315. By populating orassociating the received MNO network access credentials 312 with aderived module private key 112 and a corresponding module public key 111in a profile activation step 316, the module 101 can convert, transform,or process the received MNO network access credentials 312 into anactivated MNO network access credentials 314 within an activated eUICCprofile 313, whereby the activated eUICC profile 313 can include or beassociated with the derived module private key 112 and a correspondingmodule public key 111. Within an activated eUICC profile 313, thederived module private key 112 and a corresponding module public key 111could be recorded or associated with a set of activated MNO networkaccess credentials 314. The activated eUICC profile 313 could berecorded in an eUICC 163. In another exemplary embodiment, the recordingby a module 101 of a derived module private key 112 and a correspondingmodule public key 111 can occur at a separate time than a profileactivation step 316, although the module PKI key pair 315 may preferablybe recorded by a module 101 before module 101 completes a connection toa wireless network 102. For example, the module 101 could potentially“pre-populate” or “pre-associate” the received MNO network accesscredentials 312 with a derived module PKI key pair 315 before a profileactivation step 316. Note that a derived module private key 112 and acorresponding module public key 111 may optionally not be recordeddirectly within an activated eUICC profile 313, but rather can beseparately associated by a module 101 or an eUICC 163 with an activatedeUICC profile 313.

In exemplary embodiments, the first activated eUICC profile 313 could bedeactivated and continued to be recorded by a module 101, along with thefirst derived module PKI key pair 315, for potential later use. Themodule 101 could subsequently activate a second received eUICC profile311, including populating or associating the second received eUICCprofile 311 with a second, different, derived module PKI key pair 315(i.e. different than the first derived module PKI key pair 315) in orderto connect with a second wireless network 102 for a second mobilenetwork operator 108 using a second activated MNO network accesscredentials 314 with the second, different, derived module PKI key pair315. In other words, a module 101 could use a profile activation step316 a second time with the second received eUICC profile 311, resultinga second activated eUICC profile 313 where the first activated eUICCprofile 313 had been deactivated. Although not illustrated in FIG. 3b ,an activated eUICC profile 313 can optionally continue to record theinitial key K 325 from the received eUICC profile 311 before a profileactivation step 316.

Upon reactivation of the first activated eUICC profile 313 (which couldbe deactivated in order to use the second received eUICC profile 311 asdescribed in the paragraph above) in order to connect with the initialwireless network 102 a second time, the module 101 could either (i)reuse the first derived module PKI key pair 315, or (ii) derive a newderived module PKI key pair 315. Thus, a profile activation step 316could populate a received eUICC profile 311 with a derived module PKIkey pair 315 if the received eUICC profile 311 does not already includea derived module PKI key pair 315, but a profile activation step 316could reuse an existing derived module PKI key pair 315 for reactivatinga previously used (but deactivated) activated eUICC profile 313. Inanother embodiment, a profile activation step 316 could repopulate apreviously used (but deactivated) activated eUICC profile 313 with a newderived module PKI key pair 315.

In exemplary embodiments, a module 101 and a wireless network 102 couldperform many additional steps in order for a module 101 to utilize areceived eUICC profile 311 and an activated eUICC profile 313,including: populating an activated eUICC profile 313 with other data,encrypting and decrypting a received eUICC profile 311, providing accessto a wireless network 102 to control or update an activated eUICCprofile 313 or a received eUICC profile 311, implementing policies forthe remote management of an eUICC 163, installing or loading an eUICCprofile, deleting an eUICC profile. Profiles received and activated by amodule 101 using an eUICC 163 could be provided and managed by an eUICCsubscription manager 164, in addition to many other steps andprocedures. These additional steps and procedures for the utilization ofan eUICC 163, other than steps and elements described in FIG. 3bincluding (i) the use of a derived module PKI key pair 315, (ii)deriving a secret shared network key K 129 d, and (iii) using an initialkey K 325 but then subsequently the secret shared network key K 129 d,are known to those of ordinary skill in the art and thus are notdescribed in additional detail herein. Additional steps related to amodule 101 using a profile activation 316 step to derive and utilize amodule PKI key pair 315 as a basis for (i) network access credentials,(ii) the secure authentication and verification of a module identity 110(possibly comprising a network module identity 110 b), and (iii)encryption or ciphering of data transmitted from or received by a module101, are depicted and described in additional Figures below.

FIG. 4

FIG. 4 a is a flow chart illustrating exemplary steps for a module toprocess a message, including encrypting sensor data and sending adigital signature, in accordance with exemplary embodiments. The stepsillustrated in FIG. 4 may comprise step 306 illustrated in FIG. 3aabove. Since message 208 and response 209 may traverse the wirelessnetwork 102 and IP Network 107, according to an exemplary preferredembodiment, a module 101 and a server 105 can take additional steps inorder to maintain security of a system 100. Since module 101 couldconnect from a wide variety of networks, such as LAN, wireless LAN,wireless WAN, etc., server 105 may optionally support module 101connecting from any valid IP address, including addresses outside of amobile network operator's 108 wireless network 102. Module 101 canprocess a message 208 using the sequence of steps illustrated in FIG. 4.For additional clarification, an exemplary format of a message 208,using the exemplary steps of FIG. 4, is illustrated in FIG. 6 below.Note that the security methods described herein are optional, andmessage 208 and response 208 can be sent without the additional securitysteps described herein, but the use of these security steps may bepreferred. FIG. 4 can contain the messages and steps shown within step306 of FIG. 3a , where a module 101 processes message 208 before sendingit to server 105 through the wireless network 102 and IP Network 107.

As illustrated in FIG. 4, in preparing a message 208 to send to server105, module 101 can utilize a sensor measurement 305, where the sensormeasurement 305 comprises sensor data acquired by a sensor 101 fassociated with module 101. A sensor measurement 305 is also depictedand described in connection with FIG. 1c above, and may comprise astring or number containing data regarding a parameter of a monitoredunit 119. Sensor measurement 305 can also comprise a plurality ofmeasurements or processed sensor measurements 305 such as an averagevalue over time, high and low values, etc. Sensor measurement 305 couldbe either raw or processed data collected by a sensor 101 f. Asillustrated in FIG. 4, module 101 could also include a serverinstruction 414, which could be a command for server 105 such as anupdate, query, or notification. A server instruction 414 could also beused by module 101 as input into step 402 below, where the serverinstruction 414 can be encrypted.

Module 101 may optionally add a security token 401, which could also bea random number, or a randomly generated text, binary, or hexadecimalstring. Security token 401 could be created using random numbergenerator 128 and included in message 208 in order to make each message208 unique and thus avoid any replay attacks when message 208 traverseswireless network 102 and IP Network 107 in order to securely reachserver 105. A random number in security token 401 could be processed bymodule 101 using a seed 128 b in a random number generator 128, wherethe seed utilizes data from sensor 101 f as input into the seed, asillustrated in FIG. 1c above. Security token 401 could alternatively bea non-random number used to make message 208 unique, such as a timestampwith significant digits to milliseconds or microseconds, and otherpossibilities for security token 401 exist as well. In other words, theuse of security token 401 can ensure to a high level of certainty thateach message 208 will be different and thus the same data within message208 would not be sent more than once (other than a short timeframe suchas within a few seconds where the same UDP packet for a message 208could be intentionally sent more than once in order to implement andsupport forward error correction).

At step 401 a, if (i) module 101 is sending message 208 to server 105for the first time, or (ii) expiration time 133 for a previous symmetrickey 127 has transpired, then module 101 may preferably include asymmetric key 127 within message 208, where the symmetric key 127 wouldbe encrypted using an asymmetric ciphering algorithm 141 a with themodule private key 112 at step 402. In this case of (i) or (ii) in theprevious sentence, module 101 can securely send the symmetric key 127 toserver 105, which could then utilize symmetric key 127 in a symmetricciphering algorithms 141 b at later steps. As noted in FIG. 1d ,symmetric key 127 could be derived using cryptographic algorithms 141and a random number from random number generator 128. If (a) module 101has already sent a message 208 to server 105, or (b) expiration time 133for a symmetric key 127 has not transpired (and thus symmetric key 127would remain valid), then module 101 can omit including symmetric key127 at step 401 a.

At step 402, module 101 could utilize the sensor data 305, securitytoken 401, server public key 114, server instruction 414 (not shown) andthe cryptographic algorithms 141 to encrypt the sensor data 305 andsecurity token 401. A step 402 could utilize either a symmetricciphering algorithm 141 b with a symmetric key 127 or an asymmetricciphering algorithm 141 a with the server public key 114. Symmetricciphering 141 b may be used to encrypt sensor data 305, and asymmetricciphering 141 a may be used to encrypt a symmetric key 127. The outputof step 402 can be module encrypted data 403. If a symmetric key 127 isincluded within message 208, then module 101 preferably utilizesasymmetric ciphering 141 a with server public key 114 at step 402. Theasymmetric ciphering 141 a at step 402 may be processed according to RSAalgorithms 153, elliptic curve cryptography (ECC) algorithms 154, orother asymmetric ciphering algorithms for either public key cryptographyor proprietary methods.

Note that if (A) a symmetric key 127 is utilized for symmetric ciphering141 b between module 101 and server 105 at step 402, such utilizing as asymmetric key 127 which could be derived using ECDH 159, then (B) AES155, Triple DES, or other symmetric ciphering algorithms 141 b can beused at step 402 to generate module encrypted data 403. If symmetricciphering 141 b is utilized in step 402, exemplary symmetric ciphers AES155 and Triple DES are depicted and described in connection with FIG. 1dabove. If symmetric ciphering 141 b with ECIES is utilized in step 402,then step 402 could utilize the steps outlined in FIG. 2, titled “ECIESEncryption Functional Diagram” in “A Survey of the Elliptic CurveIntegrated Encryption Scheme” by Martinez et al in the Journal ofComputer Science and Engineering, Volume 2, August 2010, page 10,(herein incorporated by reference). The use of (i) symmetric cipheringalgorithms 141 b, such as with AES 155, Triple DES, and similar securesymmetric ciphers, with (ii) symmetric key 127 may be preferred at step402, if symmetric key 127 is available.

After processing module encrypted data 403, module 101 can add or appenda module identity 110. Module identity 110 is illustrated in FIG. 4 asbeing added after the module 101 processes module encrypted data 403,although module identity 110 may optionally only be included in moduleencrypted data 403 if symmetric ciphering 141 b with cryptographicalgorithms 141 and symmetric key 127 is utilized, (i.e. module identity110 could be included before step 402, where module identity could beincluded as an input into step 402 as opposed to being added after step402). By including module identity 110, possibly in the form of anencrypted module identity 110 a, as external to module encrypted data403 as illustrated in FIG. 4 at step 404, server 105 can use the moduleidentity 110 to pre-process or route a message before decrypting moduleencrypted data 403. For example, server 105 could utilize a messagepreprocessor 105 y and module identity 110 outside of module encrypteddata 403 to select a sub-server 105 w. By including module identity 110,possibly in the form of an encrypted module identity 110 a, as externalto module encrypted data 403, server 105 can use the module identity 110to select either (i) a module public key 111 or (ii) a symmetric key 127from a database 105 k in order to decrypt module encrypted data 403 orverify a digital signature. The exemplary message 208 illustrated inFIG. 6 below shows one example of a message 208 where module identity110 in the form of an encrypted module identity 110 a is included asexternal to module encrypted data 403, which is also illustrated in FIG.4.

Module identity 110 in a message 208 can represent the use of multipleunique strings or numbers over time that are uniquely associated withmodule 101, such as a first string for module identity 110 as recordedby module 101 and a second string for module identity 110 as recorded bya server 105. Module identity 110 could also comprise a sessionidentifier, where the session identifier is uniquely associated withmodule identity 110 for a limited period of time, and a new sessionidentifier is periodically generated by either module 101 or server 105.Thus, the use of a module identity 110 in a message 208 may comprise adifferent format or string than the module identity 110 preferably readfrom hardware, where the module identity 110 read from hardware could bea serial number, Ethernet MAC address, IMEI, etc. However, both can beutilized to uniquely identify a module 101 and thus are referred toherein as a “module identity” 110.

For cases where module 101 either (i) uses asymmetric ciphering 141 a ina step 402, such as sending a symmetric key 127, or (ii) sends datawithout symmetric ciphering 141 b (i.e. sends plaintext) module 101 cangenerate a module digital signature 405 for the message 208 using themodule private key 112. The module digital signature 405 can beprocessed according to public key infrastructure (PKI) standards such asthe National Institute of Standards (NIST) “FIPS 186-4: DigitalSignature Standard” (which is hereby incorporated herein by reference),or IETF RFC 6979 titled “Deterministic Usage of the Digital SignatureAlgorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)”(which is hereby incorporated herein by reference). The use of a moduledigital signature 405 can be processed according to the description of adigital signature according to the Wikipedia entry for “DigitalSignature” as of Sep. 9, 2013, which is incorporated by reference hereinin its entirety. Module digital signature 405 may also comprise aMessage Authentication Code (MAC) or tag. Also note that other uses of adigital signature as contemplated within the present invention may referto the above three references and related standard techniques forprocessing and creating digital signatures.

Other PKI standards or proprietary methods for securely generating amodule digital signature 405 may be utilized as well. According to apreferred exemplary embodiment, ECC algorithms for generating moduledigital signature 405 may be utilized in order to minimize the keylength compared to RSA algorithms. Module digital signature 405 maycomprise a secure hash signature using a secure hash algorithm 141 crelated to the secure hash algorithm 1 (SHA-1), or subsequent standardssuch as SHA-2 156 and SHA-3 157, and other possibilities exist as well.Module digital signature 405 is illustrated in FIG. 4 as being processedafter module encrypted data 403, but module digital signature 405 mayalso optionally be included in module encrypted data 403. However, sincemodule digital signature 403 can represent a secured hash signature thatcan contain limited useful information to a potential eavesdropper,module processing resources and energy can be conserved by includingmodule digital signature 405 after and external to module encrypted data403 (i.e. the benefits of encrypting module digital signature 405 may belimited). Also note that module digital signature 405 and the othersecure digital signatures contemplated herein may be calculated withinput from either (i) the plaintext in an encrypted message such asmodule encrypted data 403 or (ii) the ciphered data before conversion toplaintext, such as module encrypted data 403 before decryption at step413.

Module 101 can then continue processing message 208 by including channelcoding 406. Channel coding techniques for channel coding 406 couldinclude block codes and convolution codes. Block codes could includeReed-Solomon, Golay, BCH, Hamming, and turbo codes. According to apreferred exemplary embodiment, channel coding 406 can utilize a turbocode, so that server 105 can correct bit errors received by server 105in message 208. Alternatively, module 101 could implement channel codingby simply transmitting the same packet more than once and the use ofblock codes or convolution codes could be bypassed. Or, module 101 couldimplement channel coding by both transmitting the same packet more thanonce and also using a block code or convolution code in the body of thepacket. The use of channel coding 406 can be preferred, since any biterrors received by server 105 within module encrypted data 403 or moduledigital signature 405 in message 208 could break a decryption orsignature verification algorithm such as cryptographic algorithms 141used by server 105. Thus, the use of channel coding 406 (with atransport protocol that supports the transmission of bit errors such asUDP with checksums disabled in IPv4 or UDP Lite) can ensure thedecryption of message 208 is robust to bit errors. Bit errors maypotentially generated by intermediate network links and nodes as message208 traverses a wireless network 102 or IP Network 107. Channel coding406 may optionally be omitted.

As illustrated in FIG. 4, module 101 can then format message 208according to a transport protocol such as UDP within UDP processing 407to create message 208. Other options besides the UDP processingillustrated in FIG. 4 are available as well, including TCP formatting,but UDP formatting may be preferred in order to minimize the number ofpackets transmitted as well as TCP overhead. Note that TCP overhead whenusing IPv6 can be significant, since the full series of TCP messages toestablish a TCP session and transmit the message 208 may include about4-6 packets, where each packet in the message includes a TCP header anda full 128 bit address for both the source IP address and thedestination IP address. In contrast, UDP may preferably require only asingle packet for message 208 and a single packet for response 209, thussignificantly reducing the overhead and conserving either (i) a battery101 k life or (ii) energy usage by module 101 by reducing the datatransmitted and received by module 101.

According to a preferred exemplary embodiment, UDP formatting 407 can beformatted according to the UDP Lite protocol (IETF RFC 3828) with IPv6,whereby UDP checksums can be partially disabled and channel coding 406can be included in the UDP datagram to correct for bit errors. Note thatthe UDP and UDP Lite protocols may be updated in the future withsubsequent standards, but the UDP formatting 407 may preferably continueto include both (i) partially or fully omitted packet checksums withinthe packet header and (ii) channel coding within the packet body. Alsonote that if IPv4 is utilized by module 101 and server 105, regular UDP(i.e. according to RFC 768) formatting may be utilized with channelcoding 406 and checksums in the packet header may be disabled.

As illustrated in FIG. 4, after adding UDP formatting 407, module 101may record a fully formatted message 208. As illustrated in FIG. 2,message 208 can be sent by module 101 using a physical interface 101 asuch as radio 101 z and a wireless network 102 and the IP Network 107.Additional details regarding the structure of message 208 after takingexemplary steps in FIG. 4 are shown in FIG. 6 below. The security andefficiency features of message 208 can be useful for module 101 toefficiently balance potentially competing priorities of conservingbattery life/bandwidth utilization/energy while maintaining security.

FIG. 5a

FIG. 5a a is a flow chart illustrating exemplary steps for a module toprocess a response from the server, including verifying a server'sidentity and decrypting instructions, in accordance with exemplaryembodiments. Module 101 can perform the steps illustrated in FIG. 5a inorder to securely and efficiently process a response 209 from server105. The steps illustrated in FIG. 5b may comprise steps 307 a and 307 billustrated in FIG. 3. Module 101 can receive response 209 using IP:port204, as illustrated in FIG. 2. Response 209 can be formatted accordingto the UDP protocol or UDP Lite protocol, although other possibilitiesexist as well for the transport layer formatting of response 209,including TCP.

At step 407, module 101 can process the packet using the appropriatetransport layer protocol, such as UDP. In this step 407, the body of thepacket comprising response 209 can be extracted, and a checksum, if any,can be calculated to verify the integrity. An exemplary format ofresponse 209 is depicted and described in connection with FIG. 6 below.Note that if the UDP Lite protocol is utilized, the checksum mayoptionally only apply to the packet header. At step 406, module 101 canprocess and remove channel coding, if channel coding is present inresponse 209. Note that if a wireless network 102 comprises a IEEE802.15.4 network, then UDP Lite may preferably utilized, and UDP Litemay preferably be utilized if wireless network 102 is a PLMN mobilenetwork and the PLMN mobile network supports UDP Lite protocol. Channelcoding techniques utilized in step 406 could include block codes andconvolution codes, and can use related algorithms as used in channelcoding 406 in FIG. 4. By processing channel coding in step 406, module101 can correct potential bit errors received in response 209. As notedabove, the use of channel coding 406 can be preferred, since any biterrors received within server encrypted data 504 in response 209 couldbreak (i) a cryptographic algorithms 141 used by module 101 atsubsequent step 514, and/or (ii) the verification of a server digitalsignature 506 at step 501 a.

At step 501, module 101 can read and record the server identity 206.Server identity 206 may preferably be a string that is external toserver encrypted data 504 within response 209, as illustrated in FIG. 6below. The server identity 206 can preferably match a server identity206 used in message 208. The server identity 206 could also comprise thesource IP address 106 of response 209, or a domain name resolving to thesource IP address 106, or a domain name associated with IP address 206.Server identity 206 may also be uniquely associated with an identity inthe “Common Name” (CN) field of a certificate 122 for server 105.Receiving or processing a server identity within a response 206 mayoptionally be omitted, if module 101 can select the appropriate serverpublic key 114 without first obtaining server identity 206. At step 501a, module 101 can validate and verify the server identity 206 using theserver digital signature 506 inserted by server 105 in response 209.Server digital signature 506 can comprise a secure hash signature, whereserver 105 generated the hash signature using as input into a digitalsignature algorithms 141 d (i) the server private key 105 c and (ii) atleast a portion of the server encrypted data 504. Module 101 can utilizethe server public key 114 recorded in memory to securely validate theserver digital signature 504, also by using digital signature algorithms141 d.

The server digital signature 504 can be verified according to public keyinfrastructure (PKI) standards such as the National Institute ofStandards (NIST) “FIPS 186-4: Digital Signature Standard”, or IETF RFC6979 titled “Deterministic Usage of the Digital Signature Algorithm(DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)”. Other PKIstandards or proprietary methods for securely verifying a server digitalsignature 504 may be utilized as well. Also, server digital signature506 could optionally be included in server encrypted data 504, wherestep 501 a could take place after step 505. But, since server digitalsignature 506 may comprise a secure hash signature, any benefits fromciphering the secure hash may be small while requiring additionalprocessor resources.

Note that if module 101 had previously received server digital signature506 in a previous response 209, then steps 501 and 502 may optionally beomitted within a subsequent response 209. In other words, after module101 receives a valid server digital signature 504, server 105 may thentransmit a subsequent server digital signature 506 periodicallyaccording to rules based upon the security requirements of theapplication. As one example, if (a) after sending a symmetric key 127 ina message 208 to server 105 and receiving a response 209 to the message208 with (i) a valid server digital signature 506 and (ii) a serverencrypted data 503 using symmetric key 127, then (b) module 101 cansubsequently have reasonable assurance that subsequent responses 209using symmetric key 127 are also from server 105. According to apreferred exemplary embodiment, when module 101 sends a new symmetrickey 127 using an asymmetric ciphering algorithms 141 b, the response 209from server 105 with server encrypted data 504 (where the serverencrypted data 504 was created using the new symmetric key 127) canpreferably include or be associated with a server digital signature 506in either the response 209 or another packet from server 105.

Although not illustrated in FIG. 5b , upon completing step 501 a, module101 may also optionally verify the server identity 206 of server 105using a certificate 122 associated with server 105 and the public key ofa certificate authority 118. Module 101 could request a certificate 122associated with server 105 and calculate a secure hash signature 123using cryptographic algorithms 141 and a certificate authority publickey 131 (illustrated in FIG. 1a ). Other possibilities exist as well formodule 101 to verify the identity of server 105 without departing fromthe scope of the present invention. As one alternative, module 101 couldutilize Domain Name System Security Extensions (DNSSEC), as specified inmultiple IETF RFCs including RFC 4033, 4034, and 4035 to securelyresolve server identity 206 into IP address 106. For example, module 101could verify that the source IP address within response 209 matches aDNSSEC record for server name 206.

After verifying server digital signature 506 in step 501 a, module 101can record an authenticated server encrypted data 504 from server 105.Authenticated server encrypted data 504 may comprise an acknowledgementthat server 105 received message 208. Authenticated server encrypteddata 504 may be useful if the UDP or UDP Lite protocol is used to sendmessage 208, since UDP is a connectionless protocol and module 101 mayneed confirmation that server 105 received message 208. Note that ifsteps 501 and 501 a are omitted, then authenticated server encrypteddata 504 may comprise a simple acknowledgement that server 105 receivedmessage 208. Although not illustrated in FIG. 5a , if module 101 doesnot receive response 209 or server encrypted data 504 before a timerexpires, such as within an exemplary duration of 2 seconds, then module101 can resend message 208.

At step 505, module 101 can decrypt server encrypted data 504 usingeither (i) module private key 112 as a decryption key if asymmetricciphering 141 a is utilized to process server encrypted data 504, or(ii) symmetric key 127 if symmetric ciphering 141 b is utilized toprocess server encrypted data 504. Module 101 can utilize cryptographicalgorithms 141 and the key in order to decrypt the server encrypted data504 at step 505. Module 101 can utilize techniques to decrypt serverencrypted data 504 that are described in connection with creating moduleencrypted data 403 described in FIG. 4 above. If server encrypted data504 uses an asymmetric ciphering, the cryptographic algorithms 141 usedin step 505 may be processed according to RSA algorithms 153, ellipticcurve cryptography (ECC) algorithms 154, or other algorithms for publickey cryptography, as described previously herein. ECC algorithms 154 maybe preferred with asymmetric ciphering in order to maintain highsecurity with small key lengths, compared to RSA, in order to minimizethe message lengths, radio frequency spectrum utilization, andprocessing power required by wireless module 101. If server encrypteddata 504 uses symmetric ciphering 141 b, the cryptographic algorithms141 can use symmetric key 127 to decrypt server encrypted data 504 atstep 505.

Module 101 and server 105 could utilize a pre-agreed protocol in orderto select the use of asymmetric ciphering 141 a or symmetric ciphering141 b in a response 209. According to an exemplary embodiment, module101 and server 105 (i) utilize asymmetric ciphering 141 a whentransmitting symmetric keys 127 or other keys such as pre-shared secretkeys, new private keys, etc., and (ii) utilize symmetric ciphering 141 bat other times (i.e. when not sending/receiving a key). Since theexemplary response 209 illustrated in FIG. 6 does not contain asymmetric key, module 101 can utilize symmetric ciphering 141 b in astep 505 with symmetric key 127 to decrypt server encrypted data 504 atstep 505.

Response 209 may include a module instruction 502. By including moduleinstruction 502 in server encrypted data 504 and response 209, themodule instruction 502 can be read and processed by device 101 at step507, after the server encrypted data 504 is decrypted at step 505.Module 101 can subsequently perform the module instruction 502 in step507. Note that server encrypted data 504 may optionally include anacknowledgement that message 208 was received by server 105. In thismanner, an “ACK” response to message 208 can be securely transmitted byserver 105 and received by module 101. Additional details for exemplarymodule instruction 502 and the processing of a module instruction 502 bymodule 101 are depicted and described in connection with FIG. 4 of U.S.patent application Ser. No. 14/064,618, filed Oct. 28, 2013 in the nameof John Nix, entitled “A Set of Servers for “Machine-to-Machine”Communications using Public Key Infrastructure,” which is herebyincorporated by reference in its entirety. Upon completion of theprocessing of response 209 illustrated in FIG. 5b , module 101 canperform functions such entering the sleep or dormant states illustratedat step 308 in FIG. 3a , thus conserving battery life (if present inmodule 101) or energy while maintaining a secure, robust, and highlyscalable system 100.

FIG. 5b

FIG. 5b is a flow chart illustrating exemplary steps for a module tocommunicate with a server, including the module deriving public andprivate keys, in accordance with exemplary embodiments. In order toutilize communications secured with PKI techniques such as, but notlimited to, private keys, public keys, certificates, and identities, amodule 101 may preferably obtain or generate the keys and utilize amodule identity 110 and/or a certificate 122 in a secure manner. Giventhat a plurality of modules 101 may be deployed in potentially remoteplaces or inconvenient locations for manually changing a SIM card orUICC card, also potentially without frequent contact with end usersand/or technicians, the use of secure PKI techniques for a module 101can create a significant set of challenges for the generation of modulepublic key 111 and module private key 112, as well as properly andsecurely obtaining a certificate 122 with an module identity 110. Usingconventional technology, significant challenges and costs can beincurred when (i) module 101 has already been deployed, such ascollecting data from a monitored unit 119, and (ii) module 101 needs toutilize a new set of module private key 112 and module public key 111.The steps depicted and described for a module 101 to securely derive andimplement module PKI keys may also be used with an eUICC 163 in order tofor an eUICC 163 to securely establish a derived module private key 112and derived module public key 111 within an activated eUICC profile 313,as depicted in FIG. 3b above.

Exemplary embodiments that include derivation or processing of a newmodule private key 112 and module public key 111 may utilize theparticular steps and procedures contemplated herein, in order tominimize any potential human intervention (with related costs) whilecontinuing to maintain or also enhance security, compared either (i)externally generating module private key 112, and/or (ii) continuing touse the same module private key 112 for the lifetime of module 101. Overa long period of operating time for a module 101, such as, but notlimited to, several years or longer, there may be many reasons module101 may need a new pair of PKI keys, such as, but not limited to, (i)expiration of a certificate 122, or the certificate 122 of a parentsignature authority, (ii) the transfer of ownership or control of module101, where the prior ownership could have direct or indirect access tothe module private key 112, (iii) supporting a new server 105 that hasdifferent security requirements or a different set of cryptographicparameters 126 (longer keys, different ECC curves, differentcryptographic algorithms 141, etc.), (iv) revocation of a public key ina chain of signatures associated with a certificate 122, (v) in theevent of a “factory reset” condition or similar circumstances where aprior key pair previously recorded in a nonvolatile memory may no longerbe available, and (vi) the use of a module PKI key pair 314 withinnetwork credentials 314 for activated eUICC profiles 313, where (a) thenetwork credentials 314 are used to access a wireless network 102, and(b) module 101 may prefer to connect with multiple different wirelessnetworks 102 over time using different network credentials 314. In thecase of (ii) above, new ownership of module 101 may require a module 101to utilize a new module private key 112 since the old ownership may haveaccess to an old module private key 112. In the case of (iii) above, anew server 105 may require a pair of public/private keys incompatiblewith a prior set of public/private keys utilized by module 101 and/or acertificate 122 for module 101.

Other possibilities exist as well for reasons why a module 101 and/orserver 105 may prefer for a module 101 to utilize a new module publickey 111 and new module private key 112. In an exemplary embodiment,module 101 may generate a new public/private key periodically in orderto enhance the security of a system 100. A benefit of a system 100supporting periodic generation of keys by module 101 is that the keylength can be shortened in order to obtain a similar level of security,and the processing power and energy consumption, with energy possiblysupplied by a battery 105 k, can be reduced through the use of shorterkey lengths. In other words, over time such as, but not limited to,several months or years, the use of a plurality of different pairs ofpublic/private keys for module 101 with shorter key lengths can be bothmore secure and energy efficient than using a single pair ofpublic/private keys with a longer key length for the lifetime of module101. Shorter key lengths may also be more compatible with processingpower constraints of a module 101. Or, a longer key length forpublic/private keys could also be utilized and periodically rotated forincreased security. In exemplary embodiments, module 101 and/or server105 may prefer for module 101 to periodically generate new public andprivate keys. In addition, a mobile network operator 108 may prefer fora module 101 with an eUICC to periodically rotate, change, or lengthen akey K for accessing a wireless network 102, and the periodic generationof a new module PKI key pair 315 can support a periodic derivation of anew secret shared network key K 129 d (as described in FIG. 9b and FIG.11), which could be used to connect with wireless network 102.

The general approach adopted by most mobile phone networks over the pasttwo decades has been founded upon the use of a pre-shared secret key(i.e. a “PSK”) recorded in subscriber identity module (SIM) or UICCcards, such as the Ki pre-shared secret key in 2G or 3G networks, secretkey K in 4G LTE networks, and specified in related standards. The use ofa pre-shared secret key recorded in transferred physical media may workor be sufficient for mobile phones, where the SIMs can often be easilyreplaced, but the use of a pre-shared secret key K or Ki in a SIM orUICC may not be suitable for a module 101 and mobile network operator108 for many circumstances. As one example, significant costs may beincurred by swapping out a SIM card for already deployed modules 101,especially if they are in remote locations or continually moving suchas, but not limited to, a tracking device on a container, pallet, truck,or automobile. In an exemplary embodiment, a module 101 may preferablyrecord multiple pairs of public/private keys 111/112 for various anddifferent functions, such as, but not limited to, connecting todifferent servers 105, connecting to different wireless networks 102,using different module PKI key pairs 315 for different network accesscredentials 315 in different activated eUICC profiles 313, etc. Ascontemplated herein, recording more than one public/private key 111/112can comprise module 101 recording a plurality of pairs of module publickeys 111 and module private keys 112. Also as contemplated herein themodule private key 112 for a module 101 can be different than a privatekey in a Diffie-Hellman key exchange, since the module private key 112can be used to process a module digital signature 405, where a receivingnode for a message with a module digital signature 405 can verify thesignature using a module public key 111. In exemplary embodiments, onepair comprising a first module public key 111 and a first module privatekey 112 can be identified or selected from a different pair comprising asecond module public key 111 and a second module private key 112 using amodule public key identity 111 a.

The number of pairs of public/private keys useful to a module 101concurrently could be several, such as, but not limited to, an exemplarythree or more actively used public/private keys, although otherpossibilities exist as well. Manually trying to change or add a new SIMcard each time a new security key is required may not be efficient orfeasible. Or in another exemplary embodiment, the multiple pairs ofprivate and public keys could be used in sequence, such that module 101with server 105 or wireless network 102 utilizes a single module publickey 111 and module private key 112 at any given point in time. In thecase where module 101 with a module identity 110 derives or generatesmore than one module private key 112 and module public key 111 duringthe lifetime of module 101 and sends the derived module public keys 111over time to a set of servers 1010 (illustrated in FIG. 10 below) or awireless network 102, this case may be considered a module 101 sending aseries of module public keys for a module identity 110. The various PKIkey pairs in the series may also use either different sets ofcryptographic parameters 126 or the same set of cryptographic parameters126. A first pair of PKI keys could be associated with a mobile networkoperator 108 and a second pair of PKI keys could be associated with awireless network 102. The series of module public keys 111 (withcorresponding module private keys 112) can be processed, generated,calculated, and/or derived by a CPU 101 b with key pair generationalgorithms 141 e and a random number generator 128. The random numbergenerator 128 can use input from a sensor 101 f, a radio 101 z, a clock160, and/or a temporary random seed file 139.

In exemplary embodiments, module 101 can use a module public key 111 forsending a module encrypted data 403 or receiving a server encrypted data504 by sending the module public key 111 to a server 105 in order tosupport (i) the module encrypted data 403 to be decrypted (such as, butnot limited to, using a step 413 as depicted and described in connectionwith FIG. 4 of U.S. patent application Ser. No. 14/064,618, filed Oct.28, 2013 in the name of John Nix), or (ii) the server encrypted data 504to be encrypted (such as, but not limited to, using a step 503 asdepicted and described in connection with FIG. 5a of U.S. patentapplication Ser. No. 14/064,618, filed Oct. 28, 2013 in the name of JohnNix). In addition, a server 105 can use a module public key 111 forsending a module encrypted data 403 or receiving a server encrypted data504 by inputting the module public key 111 into a key derivationfunction 141 f in order to derive or process a derived shared secret key129 b, which could be used with a symmetric key 127. Other possibilitiesexist as well for module 101 to use its own module public key 111 withcryptographic algorithms for communicating with a server 105.

FIG. 5b illustrates exemplary steps that can be performed with module101, including using a module program 101 i, for generating, deriving,and/or updating a module public key 111 and module private key 112. Thesteps illustrated in FIG. 5b include both (i) an “initial” or “startup”case where module 101 has not previously derived keys (or keys notinternally derived may not have been loaded), and (ii) a subsequent or“follow on” time where module 101 can generate or derive keys after keyswere initially obtained or derived. Note that efficient and securemethods and systems contemplated herein, including in FIG. 5b , may alsobe utilized with a regular consumer mobile phone, or smartphone, as amodule 101. Mobile phones as module 101 can benefit from (i) deriving amodule public key 111 and a module private key 112, (ii) sending moduleencrypted data 403 in a message 208 using the derived keys, and (iii)receiving a server encrypted data 504 in a response 209 also using thederived keys.

In exemplary embodiments where module 101 comprises a mobile phone, thensensor 101 f may comprise a microphone and actuator 101 y may comprise aspeaker, and other possibilities exist as well to those of ordinaryskill in the art for module 101 to comprise a mobile phone. In addition,a mobile phone as a module 101 could utilize an eUICC 163, and thederived module public key 111 and module private key 112 could be usedfor network credentials 314 in an activated eUICC profile 313. In otherwords, an embodiment illustrated in FIG. 5b contemplates that an eUICC163 can use a derived module PKI key pair 315 as network accesscredentials 314 in future wireless networks 102 and related standards,such that the mobile operator network 108 does not depend on, or requirea pre-shared secret key K for access to the wireless network 102.Alternatively, and as illustrated in FIG. 9b and FIG. 11, a derivedmodule PKI key pair 315 could be used in an eUICC 163 to derive a secretshared network key K 129 d, which could be used as the primary key forauthenticating with a wireless network 102. The present inventioncontemplates both embodiments discussed in the previous two sentences,including an eUICC 163 with a first activated eUICC profile 313 wherethe network access credentials 314 use a module PKI key pair 315, and asecond activated eUICC profile 313 where the network access credentials314 use a derived secret shared network key K 129 d. The first activatedeUICC profile 313 could be used by a module 101 for connecting with afirst wireless network 102 (which could comprise a WiMAX network thatutilizes a module PKI key pair 315 for authentication), and the secondeUICC profile 313 could be used by a module 101 for connecting with asecond wireless network 102 (which could comprise an LTE Advancednetwork that utilizes a shared secret key K for authentication).

At step 511, during manufacturing of module 101, including manufacturingof sub-components such as, but not limited to, a circuit board, assemblyof hardware components illustrated in FIG. 1c , etc., a module identity110 could be written into the hardware, and could comprise a serialnumber, International Mobile Equipment Identity (IMEI) number, EthernetMAC address, or a similar persistent identification for a module 101. AnIEMI number may be used with a mobile phone as module 101, in apreferred embodiment. For security purposes, the module identity 110 maypreferably be written into a read-only location or protected location orprotected memory or protected address, such as, but not limited to, areadable location on a system bus 101 d, which could also comprise a ROM101 c. Recording and utilizing module identity 110 is also depicted anddescribed in connection with FIG. 1c , FIG. 2, and elsewhere herein.Alternatively, module identity 110 could be recorded in a non-volatilememory such as, but not limited to, a flash memory 101 w.

At step 512, module 101 can be distributed to end users and alsoinstalled with a monitored unit 119. If module 101 is a mobile phone,then monitored unit 119 could be a person that carries the mobile phone.Also note that a monitored unit 119 could be omitted, and a module 101could use the techniques contemplated herein. At step 513, a sharedsecret key 510, parameters 126, and a server address 207 can be recordedin a nonvolatile memory 101 w. As depicted in FIG. 5b at a step 513, inan exemplary embodiment a first received eUICC profile 311 couldalternatively be recorded in a nonvolatile memory 101 w, and the firstreceived eUICC profile 311 could include the shared secret key 510, theset of cryptographic parameters 126, and the server address 207. Ascontemplated herein, for an embodiment that utilizes an eUICC 163 formodule 101, the shared secret key 510 in a received eUICC profile 311can comprise an initial key K 325 for connecting with a wireless network102.

Parameters 126 may comprise settings for a cryptographic algorithms 141as illustrated in FIG. 1i and FIG. 1d , including (i) key lengths, (ii)algorithms to utilize for key generation or ciphering, such as, but notlimited to, selecting RSA algorithms 153 or ECC algorithms 154, (iii) aspecific secure hash algorithm 141 c to utilize, such as, but notlimited to, SHA-256 or SHA-3, (iv) an expiration date of the modulepublic key 111, (v) a maximum time value for an expiration time 133associated with a symmetric key 127, (vi) a ECC parameters 137 or an ECCstandard curve 138 as parameters 126 in FIG. 1h of U.S. patentapplication Ser. No. 14/055,606, filed Oct. 16, 2013 in the name of JohnNix, (vii) the specification of or values for a padding scheme for usewith a digital signature algorithms 141 d, and/or similar or relatedvalues for using cryptographic algorithms 141 d. Although notillustrated in FIG. 5b , at step 513 a configuration file could also beloaded into non-volatile memory, where the configuration file includes aplurality of fields specifying the operation of module 101. The sharedsecret key 510, parameters 126, and server address 207 could be includedin a configuration file.

Continuing at step 513, server identity 206 could be utilized in placeof or in addition to server address 207, and in this case module 101 canlater perform a DNS or DNSSEC lookup using server identity 206 in orderto obtain server address 207 for use in a message 208, such as thedestination address. Shared secret key 510 and server address 207 (orserver identity 206) could also be recorded in a ROM 101 c at step 513.Step 513 may also be performed concurrently with step 511 or step 512.According to an exemplary embodiment, a manufacturer may perform step513 and in this case step 513 could take place concurrently with step511. A manufacturer or distributor could load an initial eUICC profileinto an eUICC 163 of module 101, such as a first received eUICC profile311 illustrated at step 513 in FIG. 5b , and in this case step 513 couldtake place before step 512. In another embodiment, a distributor ofmodule 101 could perform step 513 and in this case step 513 could takeplace concurrently with step 512. Alternatively, step 513 may beperformed by a technician or end user after manufacturing anddistribution and before module 101 begins collecting sensor data with amonitored unit. Other possibilities exist as well for the sequence ofsteps 511 through 513 illustrated in FIG. 5b without departing from thescope of the present invention. In general, the order of stepsillustrated in various exemplary flow charts contemplated herein can bechanged if the revised order or sequence of steps can obtain the same orequivalent end result for the sequence of steps in the exemplary flowcharts.

Note that step 513 may take place multiple times during the lifetime ofa module 101, and in this case (a) the first time step 513 is conducted,step 513 could be conducted concurrent with steps 511 or 512, and (b) asubsequent time step 513 is conducted, step 513 could be conducted afterthe receipt of a response 209, where the response 209 includes either(i) a second shared secret key 510, server address 207, and alsopotentially a new module identity 110 or (ii) a new received eUICCprofile 311. In other words, although not illustrated in FIG. 5b , amodule 101 could return to step 513 from later steps upon the equivalentof a “factory reset”, or similar command where flash memory 101 w andother nonvolatile memory would be cleared. In an exemplary embodimentwhere step 513 takes place a second time may potentially be the transferof ownership or control of module 101, or a another embodiment wherestep 513 takes place a second time could be the upload of new firmwarethat is incompatible with a previous configuration file. In any case,(i) shared secret key 510 can preferably be uniquely associated withmodule 101 (i.e. any given shared secret key 510 may belong only to anindividual module 101), or (ii) a module 101 could record anotherreceived eUICC profile 311 a second time that a step 513 could occurduring the lifetime of a module 101.

Shared secret key 510 may comprise a pre-shared secret key 129 a, asdescribed in FIG. 1c . Shared secret key 510 may be recorded in areceived eUICC profile 311 if an eUICC 163 and related profiles areutilized, but the use of an eUICC 163 is not required in someembodiments of the present invention. In an exemplary embodiment, amodule 101 could also utilize a eUICC 163 for connection to a wirelessnetwork 102, but a module 101 (i) does not need to use any keysassociated with the eUICC 163 in order to communicate with a server 105or set of servers 1010 and (ii) can separately utilize the techniques,module PKI keys, and other aspects of various embodiments contemplatedherein. In other words, for some embodiments of the present inventioncontemplated herein, a module 101 can use an eUICC 163 for the purposesof connecting with a wireless network 102 (possibly without deriving amodule PKI key pair 315 for an activated eUICC profile 313), but themodule 101 can separately and independently use steps illustrated inFIG. 5b and other Figures to communicate with a server 105. If (A), (i)module 101 has already derived a module private key 112 and modulepublic key 111 and (ii) a module 101 is not utilizing an eUICC 163 andrelated profiles (including times when step 513 is being conducted at asecond or additional time as contemplated in the previous paragraph),then (B) shared secret key 510 may comprise (i) a key received in aserver encrypted data 504 including possibly a symmetric key 127, or(ii) a derived shared secret key 129 b. Derived shared secret key 129 bcould be obtained by server 105 from using a key derivation function 141f such as ECDH 159 and module public key 111 and server private key 105c, using a module public key 111 that has already been derived or usedby module 101 (such as if at least one module private key 112 and modulepublic key 111 had already been used or derived before step 513).

As contemplated herein in an exemplary embodiment where an eUICC 163 isnot being utilized by a module 101 for encrypting data with a server 105(but an eUICC 163 could be used for access to a wireless network 102),an initial module private key 112 b and initial module public key 111 bcould be derived outside module 101 and loaded into a nonvolatile memorysuch as flash memory 101 w at a prior time before step 513, and theshared secret key 510 could be received by module 101 using the initialmodule private key 112 b and initial module public key 111 b (such as,but not limited to, receiving the shared secret key 510 in a serverencrypted data 504 using the initial module private key 112 b which hadbeen loaded). Step 513 could then comprise a later time after the serverencrypted data 504 has been received that includes the shared secret key510, where module 101 may (i) prefer to begin utilizing keys that module101 internally derives using cryptographic algorithms 141 at asubsequent step 515 or step 316 instead of (ii) continuing to use theinitial module public key 111 b and initial module private key 112 bthat were derived outside of the module 101, such as, but not limitedto, possibly loaded into a nonvolatile memory from an external source.In other words, module 101 could begin operation with PKI keys that areinitially loaded, but then change to using PKI keys derived by module101.

In the embodiment where (i) shared secret key 510 has not been receivedby module 101 in a server encrypted data 504, and (ii) a module 101 isnot utilizing an eUICC 163 for the purposes of communicating with aserver 105 (but could use an eUICC 163 for separate purposes of gainingaccess to a wireless network 102), shared secret key 510 for a step 513could be obtained and loaded by a distributor, installer, or end userinto a nonvolatile memory such as, but not limited to, flash memory 101w in the form of a pre-shared secret key 129 a, where pre-shared secretkey 129 a was obtained using a module identity 110 and pre-shared secretkey code 134 as depicted and described in connection with FIG. 1e ofU.S. patent application Ser. No. 14/055,606, filed Oct. 16, 2013 in thename of John Nix. Module 101 could also utilize a first pre-sharedsecret key 129 a, including a first pre-shared secret key 129 a enteredby potentially a distributor, installer, or end-user described in FIG.1e , to derive shared secret key 510. Other possibilities exist as wellfor shared secret key 510 in a step 513, and shared secret key 510 canbe useful for the proper identification and/or authentication of module101 upon module 101's generation of a private key 112 and public key111, as described below including step 517.

If module 101 is a mobile phone, as contemplated herein, shared secretkey 510 could be loaded by a distributor or company selling or servicingthe mobile phone, or shared secret key 510 in a step 513 could beobtained by the end user or subscriber accessing a web page associatedwith a mobile operator for a wireless network 102 associated with themobile phone and/or SIM card. In an exemplary embodiment where module101 is a mobile phone and an eUICC 163 is being utilized by a module101, the shared secret key 510 could be recorded in a received eUICCprofile 311, as illustrated in FIG. 3b . In another exemplary embodimentwhere module 101 is a mobile phone and an eUICC 163 is being utilized bya module 101, the shared secret key 510 could comprise an initial key K325 recorded in a set of received MNO network access credentials 312.

Also note that as contemplated herein, an initial module private key 112b and initial module public key 111 b could be recorded into nonvolatilememory at step 513. For example, a manufacturer, distributor, installer,technician, or end-user could load the initial module private key 112 band initial module public key 111 b, where the initial module public key111 b would be utilized to authenticate at step 517 below a subsequentset of public/private keys derived by module 101 at step 515 below. Inthis case, the initial module public key 111 b and/or initial moduleprivate key 112 b described in the previous two sentences could comprisethe shared secret key 510. In another embodiment, the initial modulepublic key 111 b and initial module private key 112 b could be recordedin a SIM or UICC, and the SIM or UICC could be either virtual orphysical such as, but not limited to, a SIM card, including a UniversalIntegrated Circuit Card (UICC) or an embedded UICC (eUICC). A set ofservers 1010 (as illustrated in FIG. 10) could also record the initialmodule public key 111 b recorded in the SIM (including an eUICC), andthe set of servers 1010 could authenticate a message or a subsequentmodule public key 111 b derived by module 101 (such as in a step 515below) using the initial module public key 111 b. In other words, for anexemplary embodiment, an eUICC 163 or a profile within an eUICC 163could record an initial module public key 111 b and initial moduleprivate key 112 b, and (i) the eUICC 163 could use the initial PKI keysfor authenticating a subsequent, derived module public key 111, and (ii)the derived module public key 111 could be recorded within an activatedMNO network access credentials 314 associated with an activated eUICCprofile 313.

The use of an initial module public key 111 b and/or initial moduleprivate key 112 b are also depicted and described in connection withFIG. 5b of U.S. patent application Ser. No. 14/055,606, filed Oct. 16,2013 in the name of John Nix, which is hereby incorporated by referencein its entirety. Thus, FIG. 5b also contemplates an embodiment whereshared secret key 510 at step 513 comprises an initial public/privatekey pair for module 101 that is not internally derived by module 101,including keys derived at step 515. Note that the contemplation of theuse of shared secret key 510 as a pre-shared secret key 129 a within thepresent invention may be different than the use of a pre-shared secretkey within a subscriber identity module (SIM) card as commonly supportedby wireless networks 102 with mobile phones in 2013, one reason beingthe shared secret key 510 can be used by a server 105 and a module 101to authenticate a derived module public key 111, but conventionaltechnology does not contemplate that a pre-shared secret key within aSIM or UICC could be directly read (i.e. moved into a RANI memory 101 e)by a module 101 in order to authenticate a derived module public key111.

At step 514, module 101 can read module identity 110 using a read-onlyaddress. Module 101 can read module identity 110 directly from read-onlyhardware address by using system bus 101 d, including from a ROM 101 c,or module 101 can read module identity 110 from a nonvolatile memorysuch as a flash memory 101 w. A step 514 may also be optionally omittedin embodiments where module 101 utilizes an eUICC 163, and in this casethe module 101 can read the network module identity 101 b from thereceived eUICC profile 311 acquired in a step 513 above. Step 514 couldalso take place after step 515 below. At step 515 or a profileactivation 316 step, module 101 can derive module private key 112 and acorresponding module public key 111 using (i) random number generator128, (ii) cryptographic parameters 126, (iii) cryptographic algorithms141, and/or (iv) a key pair generation algorithm 141 e. The derivedmodule private key 112 and module public key 111 can comprise a modulePKI key pair 315. As contemplated herein, a step 515 could also comprisea profile activation 316 step, such that a received eUICC profile 311without a module PKI key pair 315 can be converted or transformed intoan activated eUICC profile 313 with a module PKI key pair 315. Module101 at step 515 or a step 316 and elsewhere in the present invention canbe a mobile phone such as, but not limited to, a smartphone, and themobile phone could include an eUICC 163. Module private key 112 andcorresponding module public key 111 can be derived using a key pairgeneration algorithm 141 e according to a wide range of parameters 126,and can utilize different algorithms for different pairs of keys, suchas, but not limited to, RSA 153 or ECC 154.

Key derivation at a step 515, including the use of a profile activationstep 316, could generate keys of various lengths, such as, but notlimited to, 2048 bits with RSA 153 or 283 bits with ECC 154, and otherpossibilities exist as well. If using ECC 154 to derive a pair of keysfor module 101, step 515 could also accommodate the use of differentelliptic curves for compatibility with server 105, such as, but notlimited to, the use of odd-characteristic curves, Koblitz curves. Theuse of the set of parameters from a step 513 in a step 515 or step 316can ensure the derived keys by module 101 use a compatible or identicalelliptic curve or defined elliptic curve equation as server 105, etc. Ina step 513 or a step 316 in FIG. 5b , module 101 can use ECC parameters137 or an ECC standard curve 138 in a parameters 126 to derive moduleprivate key 112 and/or module public key 111. Note that the use of aneUICC 163 is not required for some embodiments, and a step 515 can beused to derive a module private key 112 and a module public key 112 forthe purposes of communicating with a server 105 without using ordepending upon an eUICC 163 and related profiles.

Deriving keys in step 515 or a profile activation step 316 could alsocomprise using values such as constants or variables in a set ofcryptographic parameters 126 to define an elliptic curve equation foruse with an ECC algorithm 154. For the embodiment where module 101derives module PKI key pair 315 within an activated network credentials314, a profile activation step 316 can utilize the set of cryptographicparameters 126 within a received eUICC profile 311, and the set ofcryptographic parameters 126 could be used with a key pair generationalgorithm 141 e to derive the module PKI key pair 315. The values orconstants to define an equation for an elliptic curve could be inputinto a key pair generation algorithms 141 e in the form of ECCparameters 137 or an ECC standard curve 138. In alternative embodiments,an RSA algorithm 153 can be used for deriving module PKI keys instead ofECC algorithms 154. In an exemplary embodiment, where a parameters 126does not include constants and variables for defining an elliptic curveequation, a key pair generation algorithms 141 e could use pre-definedelliptic curves with ECC algorithms 154 such as, but not limited to,standardized, named curves in ECC standard curve 138 including exemplaryvalues such as, but not limited to, sect283k1, sect283r1, sect409k1,sect409r1, etc. Exemplary, standardized named curves, as opposed tomodule 101 and server 105 using an internally generated elliptic curveequation using cryptographic parameters 126, are also identified asexample curves in IETF RFC 5480, titled “Elliptic Curve CryptographySubject Public Key Information”. Thus, module 101 could use eitherstandardized elliptic curves, or a separate defined elliptic curveequation as specified in a set of cryptographic parameters 126. Or,module 101 could use RSA algorithms 153 with key pair generationalgorithms 141 e such that derived keys for module 101 can be used withRSA algorithms 153 within a set of cryptographic algorithms 141. Inembodiments where module 101 uses an RSA algorithm 153 to derive amodule private key 112 and a module public key 111 in a step 515 or astep 316, the set of cryptographic parameters 126 can include a modulusfor the RSA algorithm 153.

For embodiments where elliptic curve cryptography is used by a module101 instead of RSA-based cryptography, the curve for module 101 toutilize in deriving module public key 111 and module private key 112 atstep 515 or a profile activation step 316 could be specified in a set ofcryptographic parameters 126. Consequently, the parameters of keysgenerated by module 101 at step 515 or a profile activation step 316(including key length or algorithms utilized) may be selected based uponthe requirements of the application and can be included in a parameters126. When deriving keys at step 515 or a profile activation step 316,module 101 may also utilize data from sensor 101 f, radio 101 z, a bus101 d, a physical interface 101 a, memory 101 e, and/or a clock 160 inorder to generate a seed 128 b for random number generator 128, orrandom number generator 128 could utilize these inputs directly. Arandom number 128 a can be input into key pair generation algorithm 141e in order to derive the module public key 111 and module private key112. Note that with ECC algorithms 154, a module private key 112 can bea random number 128 a in one embodiment, and the module public key 111can be derived with a key pair generation algorithms 141 e using themodule private key 112 comprising the random number 128 a.

For embodiments where a module 101 uses an eUICC 163, module 101 couldalso derive or calculate a key K module token 1103 at a step 316 in FIG.5b , along with the derived module private key 112 and module public key111. A key K module token 1103 is depicted and described in connectionwith FIG. 9b and FIG. 11 below. Key k module token 1103 could comprise(i) the module public key 111, in embodiments where module 101 andserver 105 use an ECDH 159 key exchange, or (ii) another value or numberfor a server 105 to derive a secret shared network key K 129 d using anetwork key K derivation algorithm 1101 (in FIG. 11 below). Otherpossibilities exist as well for a key K module token 1103 calculated bya module 101 in a step 316 in order for a server 105 to utilize the keyK module token 1103 in a network key K derivation algorithm 1101 withoutdeparting from the scope of the present invention.

Upon key derivation at step 515 or a profile activation step 316, moduleprivate key 112 and module public key 111 can be recorded in anonvolatile memory 101 w. For the use of a profile activation step 316in FIG. 5b , the module private key 112 and module public key 111 canalso be recorded with a set of activated mobile network operator (MNO)network access credentials 314 for an activated eUICC profile 313, andthe activated eUICC profile 313 could be recorded in a eUICC 163. TheeUICC could also be recorded in a nonvolatile memory 101 w. Moduleprivate key 112 can preferably not be transmitted or sent outside module101. Also note that over a potential lifetime of a decade or more ofoperation of module 101, each time a new module private key 112 may berequired (for various potential reasons outlined above), includingmultiple instances of a profile activation step 316, the externalrecording and/or transferring of module private key 112 incurs apotential security risk. Security risks can be compounded if theexternal location records private keys 112 for a plurality of modules101. Also, by internally generating private key 112 at step 515, whichcould comprise a profile activation step 316, module 101 can overcomesignificant limitations and costs requiring the distribution of apre-shared secret key Ki or K in the form of a SIM card or UICC orsimilar physical distribution of a pre-shared secret key, after module101 begins operations.

In comparison with conventional technology, the use of a shared secretkey 510 in the present invention does not require physical distributionof a new shared secret key 510 after module 101 begins operations suchas, but not limited to, sending a module encrypted data 403, and ashared secret key 510 could be recorded in a received eUICC profile 311for embodiments that use a eUICC 163. Module 101's key derivation andrelated steps could also be triggered by either (i) a bootloader program125, where the bootloader program 125 determines that memory withinmodule 101 does not contain a module private key 112, or (ii) via amodule instruction 502 such as, but not limited to, a “key generation”or “derive new keys” command in a response 209 from a server, and otherpossibilities exist as well. Thus, in accordance with a preferredexemplary embodiment, the derivation of a module public key 111 and amodule private key 112 at a step 515 in FIG. 5 does not require the useof a profile activation step 316, and the derivation of the module PKIkeys does not require and optionally may not be associated with ordepend upon the use of an eUICC 163.

Note that module 101's generation of keys after deployment andinstallation may create challenges for authentication of a new modulepublic key 111 with module identity 110, since module 101 may beconnecting to server 105, wireless network 102, or mobile networkoperator 108 via the IP Network 107 or an open or public network such asa wireless network 102 that may comprise many modules 101 or mobilephones. After module 101 creates new module public key 111 and moduleprivate key 112 at step 515 or a profile activation step 316, at step516 module 101 can send a message 208 with the module identity 110, thenew module public key 111, and cryptographic parameters 126 or 126 a. Inan exemplary embodiment where a module 101 uses a profile activationstep 316 with an eUICC 163 in FIG. 5b , the server 105 receiving themessage 208 with the module identity 110 (possibly in the form of anetwork module identity 110 b) and new module public key 111 couldreside within or be associated with a mobile network 102. Parameters 126in message 208 at step 516 can represent the parameters 126 used togenerate the module public key 111.

In exemplary embodiments where an eUICC 163 is being utilized in a FIG.5b , module 101 can send a key K module token 1103 to a mobile networkoperator 108 in a step 516. Key K module token 1103 could be calculatedin a step 316 above, although other possibilities exist as well for thetiming or sequence when a module 101 calculated a key K module token1103 without departing from the scope of the present invention. Theexemplary used of a key K module token 1103 is also depicted anddescribed below in connection with FIG. 11 and FIG. 9b below. Key Kmodule token 1103 could comprise (i) the derived module public key 111,or (ii) another value or number for a server 105 associated with amobile network operator 108 to derive a secret shared network key K 129d. Steps 516 and step 517 illustrated in FIG. 5b could be combined intoa step 522, and a step 522 can be utilized by a module 101 inembodiments where an eUICC 163 is utilized and a module 101 performs orconducts the steps illustrated in FIG. 9 b.

Also, as contemplated herein, a step 516 and a step 517 illustrated inFIG. 5b may optionally be combined or the order of a step 516 and a step517 changed. In an exemplary embodiment, the receipt of data within astep 516 could only be possible if a module 101 using a module identity110 or 110 b had previously been authenticated before a step 516. Inother words, a module 101 and a server 105 could take steps notillustrated in FIG. 5b before step 516 to authenticate module 101 beforea step 516, including both nodes using a shared secret key 510, whichcould also comprise an initial key K 325. In this case, where module 101could be authenticated before a step 516, the authentication of amessage 208 in a step 517 could be considered automatic, since themodule 101 could be authenticated before a step 516. Other possibilitiesfor a module 101 to authoritatively send data in a step 516 are possibleas well without departing from the scope of the present invention.

Parameters 126 in message 208 at step 516 may also be optionallyomitted, in an embodiment where a server 105 and a module 101 canpre-agree (before a step 516 illustrated in FIG. 5b ) on the set ofcryptographic parameters 126 or 126 a associated with the module publickey 111. The sub-steps for a server 105 to receive a message 208 arealso depicted and described in connection with FIG. 2 above. Parameters126 within a message 208 can comprise descriptive values for new modulepublic key 111. Note that at step 516, server 105 does not need toreceive new module public key 111 in the form of a certificate 122(although it could be in the form of a certificate 122). New modulepublic key 111 could be received by server 105 within a string or fieldwithin a body 602 of a TCP/UDP packet 601 a, illustrated in FIG. 8below. As depicted in step 516 shown in FIG. 8 below, message 208 atstep 516 can also optionally include a module public key identity 111 a,which can be recorded in module database 105 k along with moduleidentity 110 and module public key 111 a.

According to an exemplary embodiment where an eUICC 163 is not beingutilized, a first source (IP:port) number received in a first message208 at step 516 can be different than a second source IP:port number ina second message 208 at step 518 below, wherein a response 209 send instep 519 below can preferably be sent to the second source IP:portnumber received in the second message 208 at step 518 in order totraverse a firewall 104 (as depicted and described in connection withpacket 209 a in FIG. 2). In other words, the proper destination IP:portfor a response 209 to a module 101 can change over time, such as theproper destination IP:port changing due to the use of sleep states bymodule 101 and/or function of a firewall 104. Consequently, according toan exemplary embodiment, a response 209 can utilize a destinationIP:port number equal to the source IP:port number received in the last(i.e. most recent) message 208 from module 101 received by server 105.

At step 517, server 105 can authenticate the message 208 received instep 516 using the shared secret key 510 described in a step 513 orprofile activation step 316. Server 105 could record the shared secretkey 510 before step 517 in a module database 105 k. If step 517 occursfor the first time in a lifetime of module 101, then shared secret key510 could comprise a pre-shared secret key 129 a recorded by server 105in a module database 105 k illustrated in FIG. 1a and FIG. 1m . If step517 occurs at subsequent time, then server 105 could have sent sharedsecret key 510 in a server encrypted data 504 and recorded shared secretkey 510 in a module database 105 k for later use (such as at step 517).For the embodiment where a module 101 uses an eUICC and the stepsillustrated in FIG. 5b to connect with a wireless network 102, theshared secret key 510 could be recorded in a received eUICC profile 311,and the shared secret key 510 could comprise an initial key K 325 withinthe received eUICC profile 313 from a step 513. For the embodiment wherea module 101 uses an eUICC and the steps illustrated in FIG. 5b toconnect with a wireless network 102, the shared secret key 510 in a step517 can comprise an initial key K 325.

In a step 517, server 105 can authenticate the message 208 according tomessage digest, or using the shared secret key 510, possibly in the formof a initial key K 325, to process a symmetric key 127 within asymmetric ciphering algorithm 141 b, where the successful encryption anddecryption of data within message 208 using the shared secret key 510 onboth ends could be confirmation that message 208 is authenticated, sinceboth parties would only be able to mutually successfully encrypt anddecrypt by sharing the same shared secret key 510. As contemplatedherein, the term “authenticating a public key” may refer to“authenticating a message that includes the public key”, and both mayrefer to validating or verifying that a recorded module identity 110,possibly in the form of a network module identity 110 b, accessed byserver 105 from a module database 105 k is associated with a receivemodule public key 111. In the case where an eUICC 163 is utilized by amodule 101 to connect with a wireless network 102, a network moduleidentity 110 b may be utilized instead of a module identity 110 (i.e.the server 105 could use a recorded network module identity 110 binstead of the module identity 110 for authentication of the derivedmodule public key 111).

Other possibilities exist as well for server 105 to use a shared secretkey 510 in order to authenticate a message 208 that contains a newmodule public key 111 (where module 101 contains a new module privatekey 112) or a key K module token 1103. In one embodiment, message 208 instep 516 could include a module digital signature 405 using secure hashalgorithms 141 c, where both the module 101 and the server 105 input astring combing at least a portion of the shared secret key 510 and aportion of the new module public key 111 into the secure hash algorithms141 c in order to obtain the module digital signature 405. Module 101could send the module digital signature 405 to server 105 in a message208. Additional embodiments for the authentication of a new modulepublic key 111 or a key K module token 1103 for a step 517 is alsodepicted and described in a step 1202 of FIG. 12 in U.S. patentapplication Ser. No. 14/064,618, filed Oct. 28, 2013 in the name of JohnNix, which is hereby incorporated by reference in its entirety. Thus,the present invention contemplates the authentication and/orverification of either (i) new module public key 111 or key K moduletoken 1103 or (ii) a message 208 that includes new module public key 111or key K module token 1103 according to steps that use alternatives to ashared secret key 510 for the authentication.

According to some exemplary embodiments, new module public key 111 orkey K module token 1103 from a step 515 or profile activation step 316can be authenticated and/or verified as being properly associated with arecorded module identity 110 in server 105 (i) without the use of ashared secret key 510, and/or (ii) with alternatives to using sharedsecret key 510. After receiving authenticated new module public key 111in steps 516 and 517, according to a preferred exemplary embodiment,server 105 can preferably only accept and process (A) either incoming(i) a symmetric keys 127 ciphered with a asymmetric ciphering algorithm141 a, and/or (ii) incoming server instructions 414, when (B) the nextor a subsequent incoming message 208 from module 101 using moduleidentity 110 also includes a valid module digital signature 405 verifiedby using the new module public key 111, received at step 516.

According to an exemplary embodiment, shared secret key 510 can beassociated with a module public key identity 111 a, and shared secretkey 510 can be used to authenticate a particular value for a modulepublic key identity 111 a. In this embodiment, (i) a message 208 withmodule public key 111 and a first module public key identity 111 a maybe authenticated using a shared secret key 510, but (ii) a secondmessage with module public key 111 and a second module public keyidentity 111 a may not be authenticated using the same shared secret key510. Thus, in accordance with an exemplary embodiment, shared secret key510 can be used for both (i) a single time for authenticating a modulepublic key 111 or a key K module token 1103 received in a step 516, and(ii) authenticating a module public key 111 with a particular value forthe module public key identity 111 a. Note that module public keyidentity 111 a can be particularly useful with key revocation, such thata key revocation could specify a particular module public key identity111 a (associated with a particular module public key 111) to berevoked, but other module public keys 111 for a module 101 and moduleidentity 110 with different module public key identities 111 a couldremain valid and not revoked.

Although not illustrated in FIG. 5b , for embodiments where an eUICC 163is not utilized to authenticate and encrypt data between module 101 andserver 105, server 105 could operate with a certificate authority 118 inorder to utilize a new module public key 111, as described in thisparagraph. In this case, server 105 could bypass the authentication atstep 517, but certificate authority 118 may perform step 517 in order tosign the certificate 122, including possibly using shared secret key 510to authenticate module public key 111. At step 516, new module publickey 111 could be received by server 105 in the form of a uniformresource locator (URL) or domain name for download of a certificate 122corresponding to the new module public key 111. Using a certificateauthority 118 in conjunction with step 516 is also depicted anddescribed in connection with FIG. 5b of U.S. patent application Ser. No.14/055,606, filed Oct. 16, 2013 in the name of John Nix, which is herebyincorporated by reference in its entirety.

After steps 516 and 517, which could be combined into a step 522, server105 can update a module database 105 k using the module identity 110 ornetwork module identity 110 b to insert or update the new module publickey 111 or key K module token 1103, and parameters 126 associated withnew module public key 111. As contemplated herein, a set of servers 1010(illustrated in FIG. 10 below) could collectively perform the functionof a single server 105, and thus multiple separate computers couldcomprise a server 105. Server 105 may communicate with a plurality ofmodules 101, and thus could utilize a module database 105 k in order torecord the new module public key 111 or key K module token 1103 andparameters 126 with the module identity 110. In one embodiment, themodule identity 110 could preferably operate as an index within a tableof module database 105 k in order to speed reads and writes from thetable used with module public key 111, parameters 126, and alsoselecting a symmetric key 127 for a symmetric ciphering algorithm 141 bin later messages. As described in FIG. 1d , FIG. 1i , and elsewhereherein, parameters 126 can include data useful for the operation ofcryptographic algorithms 141 and module public key 111. According to apreferred exemplary embodiment, some modules 101 in a system 100 couldutilize a first elliptic curve, such as, but not limited to, using afirst set of ECC parameters 137 or first ECC standard curve 138 within aparameters 126, and other modules 101 could utilize a second anddifferent elliptic curve within a parameters 126, such as, but notlimited to, a second set of ECC parameters 137 or second ECC standardcurve 138. The different sets of parameters 126 for different modules101 using different module identities 110 could be recorded in themodule database 101 k.

After verifying the new module public key 111 in a step 517, at step 518of FIG. 5b , module 101 could send a second message 208, and the secondmessage 208 can include a module identity 110 and module encrypted data403. In embodiments where (i) an eUICC 163 is utilized, and (ii) server105 belongs to a wireless network 102 such as a wireless networkoperator 108, then the term “module identity 110” as contemplatedthroughout the present invention can comprise a network module identity110 b. A module identity 110 comprising an identity associated withhardware for module 101 can be used with an eUICC 163 (since the eUICCmay use multiple network module identities 110 b). Although notillustrated in FIG. 5b , the second message 208 could also include amodule digital signature 405, wherein the module digital signature iscreated with the new module public key 111 received in step 516. Server105 could then utilize the steps illustrated in FIG. 4 in order toprocess the incoming message 208 with the new module public key 111,including using the module identity 110 sent by a module 101 in thesecond message 208 at step 518 to select the new module public key 111and subsequently verify a module digital signature 405 using the newmodule public key 111 and digital signature algorithm 141 d. Also asdiscussed in FIG. 4 in connection with processing a message 208, module101 could encrypt the module encrypted data 403 in the second message208 in a step 518 by using server public key 114. In one embodiment, thesecond message 208 as illustrated in FIG. 5b , which could be the nextmessage after authenticating module public key 111 in step 517, couldinclude a symmetric key 127.

The module encrypted data 403 in step 518 could include a symmetric key127 for utilization with a symmetric cipher 141 b, where symmetric key127 could be ciphered with an asymmetric ciphering algorithm 141 a. Inanother embodiment, module 101 could also send sensor data in a moduleencrypted data 403 at step 518. Or, at step 518 the second message 208could be a signal and/or data (such as a random number 128 a) for server105 to use a key derivation function 141 f with the server public key114 and the new module public key 111 (received at step 516) to create anew derived shared key 129 b for use with symmetric ciphering algorithms141 b in subsequent messages 208. In other words, in some embodimentsderived shared key 129 b can function as a symmetric key 127. If thesecond message 208 in step 518 comprises a signal and/or data for server105 to derive a new derived shared key 129 b, then this second message208 could then optionally leave off module encrypted data 403 and/or amodule digital signature 405. The successful use of a new derived sharedkey 129 b (using the new module public key 111, possible received instep 516, and existing server public key 114) with symmetric cipheringalgorithms 141 b at subsequent steps by both module 101 and server 105can indicate to each the communications are mutually authenticated.Second message 208 at a step 518 could also include a server instruction414, a security token 401, and/or a timestamp value 604, and otherpossibilities exist as well without departing from the scope of thepresent invention.

At step 519, module 101 can receive a response 209 from server 105,where the response 209 includes server encrypted data 504 and a moduleinstruction 502. Module 101 could take the steps to receive and processresponse 209 as depicted and described in connection with FIG. 5a .Response 209 could be formatted according to the exemplary response 209illustrated in FIG. 6a below. The module instruction 502 could be anacknowledgement 501 that the second message 208 sent in step 518 wasreceived by server 105.

In an exemplary embodiment where module 101 utilizes an eUICC 163 toconnect with a wireless network 102, module 101 could use a step 519 toreceive second, received eUICC profile 311 at a step 519. The second,received eUICC profile 311 could be included within the server encrypteddata 504, but the second, received eUICC profile 311 may also optionallycomprise a file or set of files that are encrypted and in this case theencrypted, second, received eUICC profile 311 in a step 519 couldoptionally be received in a response 209 without a server encrypted data504 (i.e. the server 105 may optionally not add additional encryptionfrom a FIG. 5a to the profile 311 if the profile 311 is alreadyencrypted). The new, received eUICC profile 311 received by a module 101in a step 519 could provide information, such as, but not limited to, aset of network parameters 310 and a set of network access credentials312 for connecting with a second, different wireless network 102 thanthe wireless network 102 utilized to receive the response 209 at a step519. The profile 311 received in a step 519 could comprise receivingseveral sets of related data (possibly in different but relatedresponses 209), such as a first set that includes network accesscredentials 312 and a second set of data that includes networkparameters 310 or cryptographic parameters 126. Module 101 could use thesecond, received eUICC profile 311 in order to change network accesscredentials 314 and connect with a different wireless network 102 (orpossibly change network access credentials 314 for connecting with thesame wireless network 102).

In this embodiment where a module 101 uses an eUICC 163, module 101could receive the profile 311 from an eUICC subscription manager 164 ata step 519, where the eUICC subscription manager 164 uses a server 105and sends a response 209 with the profile 311 to the module 101 in astep 519. The message 208 with the module identity 110 from the previousstep 518 could be sent to the server 105 associated with the eUICCsubscription manager 164. The module 101 could send (a) the moduleidentity 110 read from a hardware address such as a protected memory ina step 514 above to (b) the eUICC subscription manager 164 in theprevious step 518 in order to receive the profile 311 in a step 519.Note that (a) the mobile network operator 108 providing connectivity andaccess to the IP Network 107 in previous steps in FIG. 5b , such as, butnot limited to, a previous step 518 could comprise (b) the eUICCsubscription manager 164 sending the profile 311 received by a module101 in a step 519. Or, the eUICC subscription manager 164 receiving themessage 208 in a step 518 could be a different entity than MNO 108, suchas module provider 109 (where module provider 109 in FIG. 1a is alsoillustrated as an eUICC subscription manager 164). Other possibilitiesexist as well for the location/operator of an eUICC subscription manager164 receiving the message 208 in a step 518 (in order to send theresponse 209 with the profile 311) without departing from the scope ofthe present invention.

At step 520, module 101 can send a third message 208 with a confirmation414 to server 105. Confirmation 414 can be used to signal properexecution of module instruction 502 from a step 519, if moduleinstruction 502 comprised an instruction other than an “ACK” oracknowledgement 501. In the embodiment where a module 101 received asecond, received eUICC profile 311 at step 519, the step 520 couldcomprise a signal from module 101 back to server 105 that the receivedeUICC profile 311 has been properly received, passes integrity checks,and/or is compatible with module 101, etc. In an embodiment where moduleinstruction 502 in step 519 comprises an acknowledgement 501 from server105, then the confirmation 414 may omitted and in this case step 520could be skipped.

At step 521 server 105 can determine or evaluate if (i) a new modulepublic key 111 and/or certificate 122 are required for continuedoperation, or (ii) the use of the second, received eUICC profile 311from a step 519 is preferred for connecting to a second wireless network102. One reason for the need of new keys could be the expiration of acertificate 122 for module 101, or the desire to utilize a different setof cryptographic parameters 126 such as, but not limited to, a longerkey length for increase security or the use of a different ECCparameters 137 or a different ECC standard curve 138 with cryptographicalgorithms 141. As described elsewhere herein and above in this FIG. 5b, many other possibilities exist for reasons why module 101 and/orserver 105 can prefer for module 101 to utilize a new module public key111 and new module private key 112. Either server 105 or module 101 maydetermine that the use of a new module public key 111 and new moduleprivate key 112 may be preferred at step 521. If module 101 determinesthat the use of a new module public key 111 and new module private key112 is preferred or desirable, module 101 could send server 105 a signalthat new keys will be generated either before step 521 or at step 521.

Upon determining at step 521 either (i) new keys are desirable or (ii)the use of the second, received eUICC profile 311 is preferred, thenmodule 101 could derive new private and public keys by returning to step515 or step 316, as illustrated in FIG. 5b . In the embodiment where aneUICC 163 is used, as described above, a module 101 could activate thesecond, received eUICC profile 311 upon returning to a step 316 andderive a second module PKI key pair 315 for the second, received eUICCprofile 311. The second module PKI key pair 315 can be different thanthe first module PKI key pair 315 associated with the first receivedeUICC profile 311 from a step 513. Although not illustrated in FIG. 5b ,upon determining “yes” at step 521, server 105 could send a moduleinstruction 502 of “new key generation” and also a new or current set ofcryptographic parameters 126 to utilize with the new module private key112 and module public key 111. In accordance with exemplary embodiments,module instruction 502, including the “new key generation” instructionand set of parameters 126, can be received in a response 209 aftermodule 101 wakes from a sleep or dormant state and sends a message 208after waking from the sleep or dormant state. If module 101 determinesthat new keys are not required or desirable at step 521 (including theuse of the second received eUICC profile 311 from a step 519 is notrequired at one instance of a step 521 but the use of a received eUICCprofile 311 could be preferred at a subsequent instance of a step 521),module 101 can then proceed to step 309 and wait according to a sleep oridle timer before sending the next message 208 to a server 105.

Although not illustrated in FIG. 5b , in embodiments where module 101uses an eUICC 163 and receives an eUICC profile 311 in a step 519, upondetermining the value “yes” at a step 521, module 101 could proceed to astep 905 depicted and described in connection with FIG. 9b and followthe subsequent set of steps using the received eUICC profile 311 from astep 519. In the embodiment where an eUICC 163 is utilized by module 101for connecting to a wireless network 102, upon determining the value“no” at a step 521, a step 309 in FIG. 5b could comprise the module 101waiting to send a periodic “location update” request in order to signalto a wireless network 102 that module 101 continues to be attached in anidle state. In other exemplary embodiments, a module 101 could use aregular SIM or UICC in order to connect with wireless network 102, andmodule 101 could use the steps illustrated in FIG. 5b to connect with aserver 105 without an eUICC 163.

FIG. 6

FIG. 6 is a simplified message flow diagram illustrating an exemplarymessage sent by a module, and an exemplary response received by themodule, in accordance with exemplary embodiments. FIG. 6 illustratesexemplary details within message 208 sent by module 101 and alsoresponse 209 received by module 101. Message 208 may comprise a TCP/UDPpacket 601 a sent from module 101 source IP:port 204 to server 105destination IP:port 207. According to an exemplary embodiment, UDP orUDP Lite formatting for TCP/UDP packet 601 a may be preferred. SourceIP:port 204 and destination IP:port 207 in message 208 may be includedwithin a header in TCP/UDP packet 601 a. Although a single message 208,response 209, module 101, and server 105 are shown in FIG. 6a , system100 as illustrated in FIG. 2 and other systems depicted herein maycomprise a plurality of each of the nodes and datagrams illustrated inFIG. 6. As contemplated herein, the term “datagram” may also refer to a“packet”, such that referring to as datagram 601 a can be equivalent toreferring to packet 601 a. Note that when using TCP protocol, a packetwithin a series of TCP messages can also be a datagram 601 a.

TCP/UDP packet 601 a may include a body 602, which can represent thedata payload of TCP/UDP packet 601 a. The data payload of message 208can optionally include channel coding 406 as described in FIG. 4 above,if the transport protocol for TCP/UDP packet 601 a supports thetransmission of bit errors in the body 602 (as opposed to entirelydropping the packet), such as, but not limited to, with the UDP Liteprotocol. Support for the transmission of bit errors in body 602 bywireless network 102 would be preferred over entirely discarding apacket, since the programs or algorithms used by a module controller 105x could include support for and utilization of channel coding 406.Without UDP Lite formatting, message 208 can alternatively sent bymodule 101 as a UDP datagram, such as if wireless network 102 (or awired connection) does not support the UDP Lite protocol.

Note that if (A) message 208 comprises (i) regular UDP or TCP formatting(i.e. not UDP Lite or similar variations) within an IPv6 network, or(ii) a UDP or TCP format within an IPv4 network with a checksum 603enabled (i.e. checksum 603 not equal to zero), then (B) channel coding406 may optionally be omitted. Checksum 603 can comprise a value to foran integrity check of a packet 601 a, and the calculation and use ofchecksum 603 is defined in IETF standards for TCP and UDP packets. Inaccordance with an exemplary embodiment, including the use of IPv6 forIP Network 107 and a UDP datagram for message 208 and response 209, achecksum 603 sent by module 101 in a message 208 does not equal achecksum 603 in the message 208 received by server 105, in the casewhere firewall 104 is present and the firewall 104 performs networkaddress translation.

The body 602 can include a module identity 110, module encrypted data403, and channel coding 406. The module identity 110 in FIG. 6 isillustrated as an encrypted module identity 110 a, and the encryptedmodule identity 110 a could be processed using a ciphering algorithmwithin a set of cryptographic algorithms 141 to convert the moduleidentity 110 into an encrypted module identity 110 a. Although notillustrated in FIG. 6, body 602 could also include a module digitalsignature 405, as illustrated in FIG. 6 of U.S. patent application Ser.No. 14/039,401. Module identity 110 in the form of an encrypted moduleidentity 110 a is illustrated in FIG. 6 as external to module encrypteddata 403, although module identity 110 may optionally only be includedin module encrypted data 403, and in this case module identity 110 wouldnot be external to module encrypted data 403 in a body 602. By includingmodule identity 110 as external to module encrypted data 403, server 105can use the unencrypted module identity 110 in order to select either(i) the appropriate module public key 111 to verify module digitalsignature 405 if an asymmetric cipher 141 a is used within cryptographicalgorithms 141, or (ii) the appropriate symmetric key 127 for a set ofcryptographic algorithms 141 to decrypt the module encrypted data 403.Module public key 111 and symmetric key 127 may preferably be recordedin a module database 105 k, such that server 105 can access a pluralityof public keys 111 or symmetric keys 127 associated with differentmodule identities 110 with different bodies 602 for a plurality ofmodules 101, which is also illustrated in FIG. 1 m.

Thus, by including module identity 110 external to module encrypted data403, server 105 can utilize the module identity 110 to query a moduledatabase 105 k and select the appropriate module public key 111 orsymmetric key 127. As noted previously, module identity 110 couldcomprise a string or number that is uniquely associated with moduleidentity 110, such as, but not limited to, a session identity, asopposed to being a module identity 110 that is read from hardware inmodule 101 such as, but not limited to, an IMEI number, Ethernet MACaddress, etc. Module identity 110 is illustrated in FIG. 6 as a sessionidentity that is a different representation of module identity 110 of aserial number such as in FIG. 2, but in both cases the values cancomprise a module identity 110 since the values can be uniquelyassociated with module 101 at different points in time.

According to an exemplary embodiment where asymmetric ciphering 141 a ofmodule encrypted data 403 is utilized, such as (i) the first message 208sent by module 101 and (ii) where a symmetric key 127 had not beenpreviously exchanged, module identity 110 can be (a) within moduleencrypted data and (b) not external to module encrypted data 403. Inthis case, server 105 can utilize server private key 105 c to, insequence, decrypt module encrypted data 403, extract module identity 110from the decrypted module encrypted data 403, and then used the moduleidentity 110 to select module public key 111 from module database 105 kin order to verify a module digital signature 405. In a relatedembodiment, if a module identity 110 is in body 602 and external tomodule encrypted data 403, then module identity 110 could be obfuscatedor otherwise ciphered according to a pre-agreed algorithm with server105, such that server 105 can utilize the obfuscated or ciphered moduleidentity 110 to select a module public key 111 from module database 105k. The value of “[Encrypted Module Identity]” shown in FIG. 6 couldcomprise an encrypted module identity 110 a, and the algorithm token 190in the form of a random number 128 a could be used with a secretciphering algorithm 141 h illustrated in FIG. 1g to convert a moduleidentity 110 to an encrypted module identity 110 a and also to convertan encrypted module identity 110 a to a module identity 110. The use ofan algorithm token 190 in a message 208 illustrated in FIG. 6 can beoptionally omitted in exemplary embodiments. According to an exemplaryembodiment where (i) symmetric ciphering 141 b of module encrypted data403 is utilized, such as after a first message 208 had already been sentby module 101 and a symmetric key 127 had previously been exchanged,then (ii) module identity 110 can be external to module encrypted data403 and in body 602 in order for server 105 to utilize module identity110 and select symmetric key 127 from a module database 105 k, therebyenabling server 105 to decrypt the module encrypted data 403 using theselected symmetric key 127 and a symmetric ciphering algorithm 141 b.

In exemplary embodiments, a module digital signature 405 may optionallybe omitted from body 602 after module 101 has previously sent symmetrickey 127 in a previous message 208 to the message 208 illustrated in FIG.6. In other words, in a series of messages 208, module 101 canpreferably change from (i) using asymmetric ciphering 141 a with in aprevious message 208 that includes symmetric key 127 in a moduleencrypted data 403 (where the initial message 208 also includes moduledigital signature 405 and module identity 110) to (ii) using symmetricciphering 141 b with subsequent messages 208 without module digitalsignature 405 in the series (where the subsequent messages 208 canoptionally include an encrypted module identity 110 a external to moduleencrypted data 403 for server 105 to select the appropriate symmetrickey 127). Message 208 illustrated in FIG. 6 can comprise a subsequentmessage 208 as described in the previous sentence. A series of messages208 could begin when the initial message 208 is sent by module 101 andend when expiration time 133 of symmetric key 127 has transpired, andsubsequently a new series of messages 208 could begin where the firstmessage 208 in the new series of messages changes back to asymmetricciphering 141 a with initial message 208 that includes symmetric key 127in a module encrypted data 403 (where the initial message 208 alsoincludes a new module digital signature 405). An example of the initialmessage 208 described in this paragraph can comprise message 208illustrated in FIG. 6 of U.S. patent application Ser. No. 14/039,401,filed Sep. 27, 2013 in the name of John Nix, which is herebyincorporated by reference in its entirety. Other possibilities exist aswell without departing from the scope of the present invention.

Using a message 208 with a module digital signature 405 can be both moreefficient and overall more secure than digest authentication (such asthe digest authentication described in IETF RFC 2069), although usingdigest-based authentication may be alternatively used. The use of amodule digital signature 405 requires only a single packet for message208 and a single packet for response 209 for secure communicationbetween module 101 and server 105. Module encrypted data 403 illustratedin FIG. 6 can be processed using the steps and algorithms described inFIG. 4. Note that module encrypted data 403 as illustrated in FIG. 6 isshown in a plaintext form for ease of illustration, but actual moduleencrypted data 403 within body 602 of a packet 601 a could betransmitted as binary, hexadecimal, Base64 binary-to-text encoding, orother encoding rules, and strings of the actual data within moduleencrypted data 403 would not normally be human readable.

In an exemplary embodiment, encryption by module 101 may optionally beomitted, and the server instruction 414 with corresponding data could beincluded within a message 208 without encryption within the body 602,such as if security could be maintained at the network level. As oneexample for this embodiment without encryption, server instruction 414could be included in body 602 as plaintext. The encryption and/orsecurity could be applied through other means, such as, but not limitedto, the use of symmetric ciphering 141 b such as AES 155 at thedata-link layer, where packets transmitted through a wireless network102 could be encrypted at the data-link layer, but after conversion to anetwork-layer message such as the exemplary datagram 601 a illustratedin FIG. 6, the datagram 601 a could optionally omit encryption such as amodule encrypted data 403.

Module encrypted data 403 can include a server instruction 414, a serveridentity 206, a module identity 110, a security token 401, a timestamp604, and a sensor measurement 305. The server instruction 414 canrepresent the purpose of the message 208 for server 105, and FIG. 6illustrates an “update” for server instruction 414. An update for serverinstruction 414 could be used to periodically notify server 105 ofregular, periodic sensor measurements 305 acquired by a sensor 101 f oralso data from a plurality of sensors. An update for server instruction414 may also comprise a periodic report regarding monitored unit 119,and a server instruction 414 is described in FIG. 4. Other serverinstructions 414 besides an “update” may be included in a moduleencrypted data 403 within a body 602. The “update” illustrated inmessage 208 in FIG. 6 can also include a new symmetric key 127, and themodule encrypted data 403 illustrated in FIG. 6 may comprise the use ofeither an asymmetric ciphering 141 a with public/private keys, or (ii)symmetric ciphering 141 b with a symmetric key 127.

An initial transmission or negotiation of a symmetric key 127 maypreferably utilize asymmetric ciphering 141 a and the use of a publickey as an encryption key and a private key as a decryption key.Subsequent transmission of a new symmetric key 127 may utilize either(i) a symmetric cipher 141 b with a previously negotiated but stillvalid symmetric key 127 (i.e. expiration time 133 has not transpired),or (ii) asymmetric ciphering 141 a. If the data within instruction 414is longer than the maximum data length supported by a selectedasymmetric ciphering algorithm 141 a and the public/private key pair,then module encrypted data 403 within message 208 can be broken up intoseveral sections, such that the data within each section is less thanthe maximum data length supported by the asymmetric ciphering algorithm141 a and key length. In an exemplary embodiment, a first symmetric key127 can be used with module encrypted data 403 and a second symmetrickey 127 can be used with server encrypted data 504. The first symmetrickey 127 and second symmetric key 127 can be different, including using afirst symmetric ciphering algorithm 141 b with the first symmetric keyand a second symmetric ciphering algorithm 141 b with the secondsymmetric key 127. In another exemplary embodiment, in order to reducethe number of messages required to be transmitted and thus save powerusage by a module 101, symmetric key 127 used with module encrypted data403 and server encrypted data 504 can be the same and rotatedperiodically such, but not limited to, when expiration time 133 for asymmetric key 127 transpires.

Module identity 110 within module encrypted data 403 can represent theidentity of module 110, and could represent a serial number read bymodule 101 from a read-only hardware address. Module identity 110 isdescribed in FIG. 1c and can represent a unique identifier of module101. Module identity 110, such as an encrypted module identity 110 a,outside module encrypted data 403 can represent a string or number thatis different than a serial number that can be used by module 101 withina module encrypted data 403. Security token 401 within module encrypteddata 403 can represent a random string in order to make message 208reasonably unique and thus system 100 in FIG. 2 and other systemsillustrated herein robust against replay attacks. Security token 401 isdescribed in FIG. 5a . Timestamp 604 can represent a time value thatmodule 101 sends message 208 or a time value that module 101 acquiredsensor data 305. Sensor data 305 is described with the description of asensor 101 f in FIG. 1c , and sensor data 305 can represent data module101 acquires using sensor 101 f. Sensor data 305 within message 208 maybe stored by server 105 in a module database 105 k, or potentiallyforwarded to another server such as, but not limited to, a moduleprovider 109 for additional processing. Sensor data 305 can comprise awide range of values for a sensor 101 f besides the exemplary value of atemperature reading shown in FIG. 6, including raw sensor data,compressed sensor data, and processed or averaged data. The specificsensor data 305 shown in FIG. 6 is illustrated to be exemplary and notlimiting for sending and receiving sensor data. Sensor data 305 may alsobe referred to as a sensor measurement 305.

FIG. 6 also illustrates exemplary details within response 209 sent byserver 105. Response 209 may comprise a TCP/UDP packet 601 b sent fromserver 105 IP:port 207 the IP address 210 and port number 605, where IPaddress 210 represents the external IP address of wireless networkfirewall 104, if present, and port number 605 is the source port inmessage 208 as received by server 105 (i.e. the source port in message208 after traversing the firewall 104 illustrated in FIG. 6a ). Thus,IP:port with IP address 210 and port number 605 in response 209 may bedifferent than IP:port 204 in message 208, since the presence of awireless network firewall 104 may perform NAT routing, which couldchange the source IP address and source port number from IP:port 204 toIP address 210 and port number 605 in message 208, as received by server105. The use of wireless network firewall 104 in wireless network 102may require that response 209 be sent from IP:port 207 to IP address 210and port number 605 in order to be properly processed by firewall 104and forwarded to module 101 at IP:port 204. Source IP:port 207 anddestination IP address 210 and port number 605 in response 209 may beincluded within a header in TCP/UDP packet 601 b, as illustrated in FIG.6. TCP/UDP packet 601 b could comprise a regular UDP packet, a UDP Litepacket, or a TCP datagram, or similar protocols supported by an IPNetwork 107. TCP/UDP packets 601 a and 601 b may utilize the sameprotocol.

As noted previously, the use of checksums may be mandatory in IPv6networks, and thus a response 209 comprising a packet 601 b can includea checksum value 603 (illustrated in message 208 but not response 209)for the header. The use of firewalls such as firewall 104 can change theheader values in a packet 601 b. In accordance with a preferredexemplary embodiment, a first checksum value 603 within a response 209sent by server 105 can be different and/or not equal to a secondchecksum value 603 within the response 209 received by module 101.Likewise, in an exemplary embodiment, a first checksum value 603 withina message 208 sent by a module 101 can be different and/or not equal toa second checksum value 603 within the message 208 received by server105, potentially due to the presence of a firewall 104 or other routerthat performs network address translation, where the destination IPaddress within a response 209 sent by a server 105 is different than theIP address 204 of a module 101.

A UDP, TCP, or UDP Lite datagram as a TCP/UDP packet 601 b withinresponse 209 may include a body 606. Body 606 may comprise the payloador data within a UDP, TCP, or UDP Lite packet. Body 606 can include aserver identity 206, a server digital signature 506 (not shown in FIG.6), server encrypted data 504, and channel coding 406. Server identity206 is illustrated in FIG. 6 as external to server encrypted data 504within body 606, but server identity 206 may optionally be included inserver encrypted data 504 instead. Module 101 may communicate with aplurality of servers 105, and server identity 206 as external to serverencrypted data 504 can allow module 101 to select the appropriatesymmetric key 127 to utilize for decrypting server encrypted data 504(since each of the multiple servers 105 that module 101 communicateswith may utilize a different symmetric key 127).

Also note that the server identity 206 can be similar to module identity110, such that multiple different values for server identity 206 couldbe utilized in different systems illustrated herein, but each of thedifferent values could preferably be uniquely associated with a server105. As one example, server identity 206, outside server encrypted data504 as illustrated in FIG. 6, may comprise a session identity or sessionidentifier, as opposed to a different server identity 206 that couldcomprise a hardware serial number or domain name for server 105. Thus,server identity 206 outside a server encrypted data 504 may be adifferent string or representation than server identity 206 withinserver encrypted data 504, but both strings/numbers used for serveridentity 206 in response 209 could be associated with server 105. In anexemplary embodiment, a set of servers 105 n can collectively use aserver identity 206.

Although not illustrated in FIG. 6, a server digital signature 506 inbody 606 can comprise a secure hash signature of a subset of body 606,where the subset of body 606 can comprise server encrypted data 504,and/or server identity 206 as illustrated in FIG. 6. The use of a serverdigital signature 506 in a body 606 is illustrated in FIG. 6 of U.S.patent application Ser. No. 14/039,401, filed Sep. 27, 2013 in the nameof John Nix, which is hereby incorporated by reference in its entirety.In this manner, module 101 can utilize server digital signature 506 toauthenticate that response 209 was sent by server 105. Channel coding406 in body 606 is also depicted and described in connection with FIG. 5above. The server digital signature 506 may optionally be omitted aswell.

Body 606 may include server encrypted data 504. Server encrypted data504 is depicted and described in connection with FIG. 5a above. Serverencrypted data 504 may include an acknowledgement 501, whereinacknowledgement 501 can notify module 101 that message 208 has beenreceived by server 105. As illustrated in FIG. 6, server encrypted data504 may optionally also include a module instruction 502 for module 101.The module instruction 502 could be a string that contains instructionsor configuration parameters for module 101, such as an order to changestate, parameters regarding the monitoring of monitored unit 119, servernames or addresses, radio frequency parameters, timer values, settingsfor actuator 101 y, etc. A module instruction 502 is depicted anddescribed in connection with FIG. 5a above. The exemplary moduleinstruction 502 illustrated in FIG. 6 comprises a “key generation” 608instruction for module 101 derive a new set of keys, also depicted anddescribed in connection with FIG. 5b above at a step 515 or step 316.

In an embodiment where module 101 uses an eUICC 163, server encrypteddata 504 could include a received eUICC profile 311. An example of aserver 105 sending a server encrypted data 504 with a received eUICCprofile 311 is depicted and described in connection with step 519 ofFIG. 5b . In an exemplary embodiment, the server 105 sending thereceived eUICC profile 311 can be different than a server 105 receivingsensor data 305. In these embodiments where the server 105 sending thereceived eUICC profile 311 is different than the server 105 receivingsensor data 305, module 101 can send the server 105 (possibly associatedwith or operated by an eUICC subscription manager 164) a message 208before receiving the response 209 with the server encrypted data 504containing the received eUICC profile 311. The message 208 to the server105 operated by an eUICC subscription manager 164 could include a moduledigital signature 405 processed by a module 101 using the derived moduleprivate key 112 in a module PKI key pair 315. In this manner, the server105 associated with the eUICC subscription manager 164 can verify themessage 208 is sent by the correct and/or authenticated module 101before sending the received eUICC profile 311 in a response 209. Notethat a received eUICC profile 311 may be encrypted with a either (i) asymmetric ciphering algorithm 141 b or an asymmetric ciphering algorithm141 a before encapsulation in a message 208, and in this case the serverencrypted data 504 for receiving the received eUICC profile 311 mayoptionally be omitted. In other words, the received eUICC profile 311may not need additional encryption by a server 105 for transmissionsince the received eUICC profile 311 may already be encrypted.

Other possibilities for a module instruction 502 within a response 209are possible as well without departing from the scope of the presentinvention. Although not depicted in FIG. 6 or FIG. 2, if response 209includes a module instruction 502, according to an exemplary embodiment,module 101 can preferably send a second message 208 to server 105, wherethe second message 208 includes a confirmation that module instruction502 was successfully executed or implemented by module 101. Thisconfirmation could be included in a server instruction 414 for server105 within a second message 208, and the confirmation could include atimestamp value 604 for when the module instruction 502 was executed. Atimestamp value 604 may be useful for tracking time of actions and datacollected, when a module 101 may only periodically have access to anetwork 102 and also may periodically be dormant or sleep.

Also, although a server encrypted data 504 may be included within a body606 in exemplary embodiments, body 606 may optionally omit serverencrypted data 504 and include data from server 105 or a set of servers1010 (illustrated in FIG. 10) that is not encrypted, such as, but notlimited to, plaintext. As one example in this case, acknowledgement 501could be included in body 606 as plaintext. Also, although notillustrated in FIG. 6, server encrypted data 504 could include asymmetric key 127 for module 101 to utilize with symmetric ciphering 141b in cryptographic algorithms 141 for processing a module encrypted data403 in subsequent messages 208 and/or responses 209. Server encrypteddata 504 in a response 209 may include a security token 401. Securitytoken 401 may be a random string and may also be generated by eitherserver 105 or module 101. If security token 401 is generated by module101, then security token 401 may be included in message 208 and alsoutilized by server 105 in response 209, as illustrated in FIG. 6. Otherpossibilities exist as well without departing from the scope of thepresent invention.

FIG. 7

FIG. 7 is a flow chart illustrating exemplary steps for a module toderive a series of public keys and private keys, including sending andauthenticating the derived public keys, in accordance with exemplaryembodiments. In order to utilize communications secured with PKItechniques such as private keys, public keys, certificates, andidentities, a module 101 may preferably obtain or generate the keys andcertificate in a secure manner. Given that a plurality of modules 101may be deployed in potentially remote places, without frequent contactwith end users or technicians, the use of secure PKI techniques for amodule 101 can create a significant set of challenges for the generationof module public key 111 and module private key 112, as well as properlyand securely obtaining a certificate 122 with an module identity 110.Using conventional technology, significant challenges and costs can beincurred when (i) module 101 has already been deployed, such ascollecting data from a monitored unit 119, and (ii) module 101 needs toutilize either (a) a new set of module private key 112 and module publickey 111 or (b) a new UICC card. In exemplary embodiments, a module 101could implement steps within FIG. 7 in order to utilize an eUICC 163 inorder to connect with a wireless network 102. The use of an eUICC 163for connecting with a wireless network 102 is optional, and the stepsillustrated in FIG. 7 can be conducted without the use of an eUICC 163.

The proper use of a new set of module private key 112 and module publickey 111 may utilize the particular steps and procedures contemplatedherein, in order to minimize any potential human intervention (withrelated costs) while continuing to maintain security. Over a long periodof operating time for a module 101, such as a decade or longer, theremay be many reasons module 101 may need a new pair of PKI keys, such as(i) expiration of a certificate, or the certificate of a parentsignature authority, (ii) the transfer of ownership or control of module101, where the prior ownership could have direct or indirect access tothe module private key 112, (iii) supporting a new server 105 that hasdifferent security requirements or a different set of cryptographicparameters 126 (such as, but not limited to longer keys, different ECCcurves, etc.), (iv) revocation of a public key in a chain of signatures123 within a certificate 122, and/or (v) the use of a module PKI keypair 314 within network credentials 314 for activated eUICC profiles313, where (a) the network credentials 314 are used to access a wirelessnetwork 102, and (b) module 101 may prefer to connect with multipledifferent wireless networks 102 over time using different networkcredentials 314. In the case of (ii), new ownership of module 101 mayrequire a module 101 to utilize a new module private key 112. In thecase of (iii) a new server 105 may require a pair of public/private keysincompatible with a prior set of public/private keys utilized by module101 and/or a certificate 122 for module 101. For embodiments wheremodule 101 and server 105 derive a new secret shared network key K 129d, module 101 may derive a new module private key 112 in order to derivethe new secret shared network key K 129 d for connecting with adifferent wireless network 102. Other possibilities exist as well forreasons a module 101 may need to derive a new module public key 111 andnew module private key 112.

The general approach adopted by most mobile phone networks over the pasttwo decades has been founded upon the use of a pre-shared secret keyrecorded in SIM cards and UICCs, such as the Ki secret key in 2G/3Gnetworks and shared secret key K in 4G LTE networks. That approach maywork for mobile phones, where the SIMs can often be easily replaced, butthe use of a pre-shared secret key in a SIM may not be suitable for amodule 101 and mobile network operator 108. As one example, significantcosts may be incurred by swapping out a SIM card for already deployedmodules 101, especially if they are in remote locations or continuallymoving such as a tracking device on a container or pallet, or a truck orautomobile. Next, a module 101 may preferably record multiple pairs ofpublic/private keys 111/112 for various functions, such as connecting todifferent servers 105, connecting to different wireless networks 102,etc. The number of pairs of public/private keys useful to a module 101concurrently could be many, such as an exemplary two or more activelyused public/private keys. Trying to change or add a new SIM card eachtime a new security key is required may not be efficient or feasible.FIG. 7 illustrates exemplary steps that can be performed with module101, including using a module program 101 i, for generating and/orupdating a module public key 111 and module private key 112. The stepsillustrated in FIG. 7 include both (i) an “initial” or “startup” casewhere module 101 has not previously derived keys, and (ii) a subsequentor “follow on” time where module 101 can generate or derive keys afterthe initial derivation of keys. The steps illustrated for the derivationof new module PKI keys in FIG. 7 can also be used for an eUICC 163.

At step 701, during manufacturing of module 101, including manufacturingof sub-components such as a circuit board or assembly of hardwarecomponents illustrated in FIG. 1c , etc., a module identity 110 could bewritten into the hardware, and could comprise a serial number,International Mobile Equipment Identity (IMEI) number, Ethernet MACaddress, etc. For security purposes, a module identity 110 maypreferably be written into a read-only location, such as a readablelocation on a system bus 101 d, which could also comprise a ROM 101 c.The read-only location could also comprise a protected memory orprotected address within module 101. A protected memory could alsocomprise a memory location within a ROM 101 c. Recording and utilizingmodule identity 110 is also depicted and described in connection withFIG. 1c , FIG. 2, and elsewhere herein. Alternatively, module identity101 could be recorded in a non-volatile memory such as a flash memory101 w. For embodiments where a module 101 utilizes an eUICC 163 in orderto connect with a wireless network 102, the module identity 110 asdepicted in FIG. 7 can comprise a network module identity 110 b, and thenetwork module identity 110 b does not need to be written to a read-onlylocation in module 101, but rather can be written to a nonvolatilememory such as, but not limited to, a flash memory 101 w.

At step 702, module 101 can be distributed to end users and alsoinstalled with a monitored unit 119. At step 703, parameters 126, and aserver address 207 can be recorded in a nonvolatile memory 101 w.Parameters 126 may comprise settings or values for a cryptographicalgorithms 141 as illustrated in FIG. 1d and FIG. 1i , including (i) keylengths, (ii) algorithms to utilize for key generation or ciphering,such as the specification of an elliptic curve utilized illustrated asparameters 126 in FIG. 1i , (iii) a specific secure hash algorithm 141 cto utilize, such as SHA-256 or SHA-3, (iv) an expiration date of thepublic key 111, and/or (v) a maximum time value for an expiration time133 associated with symmetric keys 127, etc. The parameters 126 in astep 703 could comprise either a first set of cryptographic parameters126 or a first subset of cryptographic parameters 126 a. Although notillustrated in FIG. 7, at step 702 a configuration file could also beloaded into non-volatile memory, where the configuration file includes aplurality of fields specifying the operation of module 101. Theparameters 126, and server address 207 could be included in aconfiguration file.

Continuing at step 703, server name 206 could be utilized in place of orin addition to server address 207, and in this case module 101 can laterperform a DNS or DNSSEC lookup using server identity 206 in order toobtain server address 207 for use in a message 208. Server address 207(or server identity 206) could also be recorded in a ROM 101 c at step703. Step 703 may also be performed concurrently with step 701 or step702. Note that step 703 may take place multiple times during thelifetime of a module 101, and in this case (a) the first time step 703is conducted, step 703 could be conducted concurrent with steps 701 or702, and (b) a subsequent time step 703 is conducted, step 703 could beconducted after the receipt of a response 209, where the response 209includes a second server address 207, and also potentially a new moduleidentity 110. In other words, although not illustrated in FIG. 7, amodule 101 could return to step 703 from later steps upon the equivalentof a “factory reset”, or similar command where flash memory 101 w andother nonvolatile memory would be cleared. One example could potentiallybe the transfer of ownership of module 101, or a second example could bethe upload of new firmware that is incompatible with a previousconfiguration file.

Continuing at step 703, shared secret key 129 may comprise a sharedsecret key 129 c or a pre-shared secret key 129 a. Given that module 101may not derive a private key until a step 515 illustrated below in FIG.7, a derived shared secret key 129 b may not be available from a keyderivation function 141 f at step 702. A shared secret key 129 c couldbe a value depicted and described in connection with FIG. 1f . Sharedsecret key 129 c can be calculated or processed using input of (i) a setof component parameters 101 t and (ii) an algorithm token 190 into ashared secret algorithm 141 g, where the output of shared secretalgorithm 141 g can be the shared secret key 129 c. In an exemplaryembodiment, shared secret key 129 c may be calculated and determined bymodule 101 (i) without any prior communication with server 105 and also(ii) before module 101 receives a server public key 114. Although step703 in FIG. 7 illustrates module 101 as recording shared secret key 129in a nonvolatile memory, module 101 could alternatively record sharedsecret key 129 (in the form of a key 129 c or 129 a) and algorithm token190 in a volatile memory such as RAM 101 e. For embodiments where themodule 101 utilizes an eUICC 163 to connect with a wireless network 102,the recording of shared secret key 129 and related data in a step 703can comprise recording a received eUICC profile 311. The shared secretkey 129 can comprise a shared secret key 510 as depicted and describedin connection with FIG. 3b . In another embodiment, the shared secretkey 129 in a step 703 could comprise the initial key K 325 recorded in areceived eUICC profile 311, also depicted and described in connectionwith FIG. 3b . The first set of cryptographic parameters 126 and theserver address 207 could also be recorded in the eUICC 163 in the formof a received eUICC profile 311.

In an exemplary embodiment, shared secret key 129 could be obtained andloaded by a distributor, installer, or end user into a nonvolatilememory such as flash memory 101 w in the form of a pre-shared secret key129 a, where pre-shared secret key 129 a was obtained using a moduleidentity 110 and pre-shared secret key code 134 as depicted anddescribed in connection with FIG. 1c above. Module 101 could alsoutilize a first pre-shared secret key 129 a, including a firstpre-shared secret key 129 a entered by potentially a distributor,installer, or end-user discussed in FIG. 1c , to derive shared secretkey 129. Other possibilities exist as well for shared secret key 129,and shared secret key 129 can be useful for either the authentication ofmodule 101 and/or the proper identification of module 101 upon module101's generation of a private key 112 and public key 111, as describedbelow, including step 705. For embodiments where the module 101 utilizesan eUICC 163 to connect with a wireless network 102, an initial,received eUICC profile 311 could be loaded into a nonvolatile memory bya manufacturer, distributor, installer, or end-user, and the data for astep 703 could be recorded in the initial, received eUICC profile 311.Or, the module 101 could include both a UICC and an eUICC 163, and themodule 101 could use the physical UICC to initially connect with a firstwireless network 102, and subsequently use a received eUICC profile 311and the eUICC 163 to connect with a second, subsequent wireless network102.

In an exemplary embodiment, an initial module private key 112 b andinitial module public key 111 b could be recorded into nonvolatilememory at step 703. For example, a manufacturer, distributor, installer,technician, or end-user could load the initial module private key 112 band initial module public key 111 b, where the initial module public key111 b would be utilized to authenticate at step 705 a subsequent set ofpublic/private keys derived by module 101 at step 704. In this case, theinitial module public key 111 b and/or initial module private key 112 bdescribed in the previous two sentences could comprise the shared secretkey 129. One reason the initial module private key 112 b with theinitial module public key 111 b could comprise a shared secret key 129can be, if the initial module public key 111 b and initial moduleprivate key 112 b are present, (i) the initial module private key 112 band initial module public key 111 b together have been “shared” in thesense that the initial module private key 112 b has been located outsidemodule 101 and in possession of an entity such as the manufacturer,distributor, installer, technician, or end-user in order to load theinitial module private key (and initial module public key 111 b isshared with server 105), (ii) the initial module private key 112 b andinitial module public key 111 b can be used to authenticate a subsequentmessage 208 containing a public key internally derived by the module atstep 704 below, and (iii) the initial module private key 112 b wouldremain “secret” and not publicly shared. Thus, FIG. 7 contemplates anembodiment where shared secret key 129 at step 703 comprises an initialpublic/private key pair that is not internally derived by module 101.

Note that the contemplation of the use of shared secret key 129 as apre-shared secret key 129 a within the present invention may bedifferent than the use of a pre-shared secret key within a SIM card.Specifically, as depicted and described in connection with FIG. 1c andelsewhere herein, the shared secret key 129, comprising any of (i) apre-shared secret key 129 a, (ii) derived from a pre-shared secret key129 a, or (iii) a shared secret key 129 c, may be moved by CPU 101 binto a volatile memory such as RAM 101 e, with subsequent access bycryptographic algorithms 141. In contrast, the pre-shared secret keywithin a SIM card or UICC for mobile phones is usually designed toprevent movement of the pre-shared secret key within a SIM or UICC intoRANI 101 e.

At step 704, module 101 can authenticate with a server 105 using thedata from a nonvolatile memory recorded in step 703. In the embodimentwhere a module 101 uses an eUICC 163 to connect with a wireless network102, the server 105 could be operated by a mobile network operator 108and also could be associated with or reside in wireless network 102. Inan exemplary embodiment, a module 101 can be distributed or installedbetween steps 703 and steps 704. In order to perform 2-wayauthentication at a step 704, module 101 can read module identity 110using a read-only address or a protected address. Module 101 can readmodule identity 110 directly from read-only hardware address by usingsystem bus 101 d, including from a ROM 101 c, or module 101 can readmodule identity 110 from a nonvolatile memory such as a flash memory 101w. Thus, the read-only address or protected address could comprise anaddress accessible on system bus 101 d that is designated read-only fora period of time.

As contemplated herein, a protected address can comprise an address or amemory location that can be read-only (i) for a period of time and/or(ii) upon an elevated set of privileges not normally used in theoperation of a module 101. The module identity 110 used in a step 704for authentication could be recorded into a flash memory 101 w by module110 after a prior read of module identity 110 from a read-only addressor a protected address. In this case (module 101 taking the stepdescribed in the previous sentence), reading module identity 110 fromthe nonvolatile memory at step 704 can also comprise module 101 readingmodule identity 110 using a read-only address or a protected address.Thus, although module 101 may read module identity 110 from a flashmemory 101 w, if (a) module 101 initially utilized a read-only addressto record the module identity 110 into the flash memory 101 w, then (b)reading module identity 110 from the flash memory 101 w would compriseusing a read-only address to read module identity 110. Otherpossibilities exist as well, such as the address that includes moduleidentity 110 in either (i) a nonvolatile memory such as a ROM 101 c or(ii) an address accessible on system bus 101 d, could be designated fora period of time as available for a read-only or protected operations.

Note that using a module identity 110 from a read-only address or aprotected address within module 101 can be important for the use of aneUICC 163. The module identity 110, possibly in the form of a hardwareserial number or IMEI, can serve as the basis for an identifier oridentity of module 101 with an eUICC subscription manager 164, since anetwork module identity 110 b can change for the same module 101 overtime as different received eUICC profiles 311 can be activated withdifferent network module identities 110 b. In other words, a module 101can use the module identity 110 in order to receive a received eUICCprofile 311 from an eUICC subscription manager 164 instead of, or inaddition to, a network module identity 110 b from the eUICC subscriptionmanager 164 since a network module identity 110 b can change for amodule 101 over time when using an eUICC 163.

Continuing at step 704, module 101 can take steps to conduct a 2-wayauthentication with server 105. In order for module 101 to authenticatewith server 105, module 101 can send a message 208 with a moduleidentity 110 to the server address 207, which could belong to a server105. In an exemplary embodiment, module identity 110 at a step 704, orany step where module 101 authenticates or verifies identity with aserver 105, can comprise the form of an encrypted module identity 110 ausing a secret ciphering algorithm 141 h as depicted and described inconnection with FIG. 1g . In this case, the message 208 with anencrypted module identity 110 a would also preferably include thealgorithm token 190 used by module 101 to derive the encrypted moduleidentity 110. The server could extract the plaintext module identity 110using a secret ciphering algorithm deciphering 162. Alternatively, themodule identity 110 could be sent as plaintext in a step 704. In orderto authenticate module 101 with module identity 110 at step 704, server105 can utilize the shared secret key 129 to authenticate module 101 atstep 704, such that after authentication, the contents of message 208 oradditional messages 208 from module 101 can be further processed.

For embodiments where the module 101 utilizes an eUICC 163 to connectwith a wireless network 102, the 2-way authentication using sharedsecret key 129 at a step 704 could comprise module 101 conducting a2-way authentication with a server 105 associated with a subscriptionmanager 164. The shared

secret key 129 and related data in a step 704 could be read from areceived eUICC profile 311. The shared secret key 129 can comprise ashared secret key 510 within a received eUICC profile 311. Forembodiments where the module 101 utilizes an eUICC 163 to connect with awireless network 102, the 2-way authentication could be conducted withan initial key K 325 in a step 704 using the standard 2-wayauthentication for an LTE and related networks where the wirelessnetwork 102 sends a RAND and AUTN, and module 101 sends a RES. In thiscase, the shared secret key 129 could comprise the initial key K 325.

Continuing at step 704, server 105 can authenticate module 101 using themodule identity 110 in message 208 and a message digest, such asdescribed in IETF RFC 2617, titled “HTTP Authentication: Basic andDigest Access Authentication”. Other reasonably secure authenticationstechniques using a shared secret key 129 could be utilized withoutdeparting from the scope of the present invention. In order toauthenticate, module 101 could take steps to demonstrate to server 105that module 101 holds the same shared secret key 129. Module 101 canproperly respond to a challenge/nonce in a message digest authenticationby sending a secure hash value calculated using (i) the challenge/nonceand (ii) the shared secret key 129. Or, module 101 could authenticate bygenerating a module digital signature 405 in message 208 using theshared secret key 129. In addition, module 101 could utilize the sharedsecret key 129 as a symmetric key 127 to encrypt a module encrypted data403 with symmetric ciphering 141 b, and if server 105 could properlydecrypt the module encrypted data 403 using the same shared secret key129 on the server, then server 105 would know the correct module 101sent the message 208 and thereby would be authenticated. Otherpossibilities exist as well for a module 101 to authenticate with aserver 105 using a shared secret key 129, or a shared secret key 510 oran initial key K 325 in the case where module 101 uses an eUICC 163 toconnect with a wireless network 102, without departing from the scope ofthe present invention.

Continuing at step 704, module 101 can also preferably authenticateserver 105 in order to complete a 2-way authentication. Module 101 cantake steps to ensure or verify that server 105 with reasonable assurancealso holds the shared secret key 129, or a shared secret key 510 or aninitial key K 325 in the case where module 101 uses an eUICC 163 toconnect with a wireless network 102. Module 101 could authenticateserver 105 using message digest, such that module 101 issues achallenge/nonce, and verifying that server 105 properly responds to thechallenge/nonce with a correct secure hash value, such as the outputfrom a secure hash algorithms 141 c. Or, server 105 could authenticatewith module 101 by the module receiving a server digital signature 506in a response 209 using the shared secret key 129. In addition, module101 could utilize the shared secret key 129 as a symmetric key 127 todecrypt a received server encrypted data 504 with symmetric ciphering141 b, and if module 101 could properly decrypt the server encrypteddata 504 using the shared secret key 129, then module 101 would know thecorrect server 105 sent the response 208 and thereby the server 105would be authenticated. Other possibilities exist as well for a server105 to authenticate with a module 101 using a shared secret key 129without departing from the scope of the present invention.

Continuing at step 704, module 101 can receive a set of cryptographicparameters 126, preferably after module 101 completes authenticationwith server 105 (in order for server 105 to not send the set ofcryptographic parameters 126 to 3^(rd) parties). A set of cryptographicparameters 126 received in a step 704 can also comprise a second set ofcryptographic parameters 126, where the second set of cryptographicparameters 126 could be different or the same as the first set ofcryptographic parameters 126 from a step 703. The second set ofcryptographic parameters 126 at a step 704 can comprise a subset ofcryptographic parameters 126 a as depicted and described in connectionwith FIG. 1i . Module 101 could send the set of cryptographic parameters126 recorded in step 703 to the server 105, and the server 105 couldrespond with a subset of cryptographic parameters 126 a. In anotherembodiment, server 105 could send module 101 the second set ofcryptographic parameters 126 at step 704, and module 101 could send asubset of the cryptographic parameters 126 a to the server. Inembodiments where module 101 uses an eUICC 163, receiving the second setof cryptographic parameters 126 at a step 704 could comprise receiving areceived eUICC profile 311 that includes the second set of cryptographicparameters 126.

At the conclusion of step 704 the module 101 and server 105 canpreferably agree on a set of cryptographic parameters 126 for use withcryptographic algorithms 141 for further communication. Note that amodule 101 and a server 105 can communicate a set of cryptographicparameters 126 by using a set of cryptographic parameters token 126 c,such that a packet transmitted could contain the token 126 c as anidentifier for a set of cryptographic parameters 126. For example, amodule 101 could send or receive the token 126 c with an exemplary valueof “Set A” illustrated in FIG. 1i , instead of sending or receiving thecomplete set of cryptographic parameters 126. In an exemplaryembodiment, the transmission of cryptographic parameters 126 or a token126 c at a step 704 comprises encrypting the cryptographic parameterswith shared secret key 129 as a symmetric ciphering key 127 in asymmetric ciphering algorithm 141 b. Note that receiving a second set ofcryptographic parameters 126 could optionally be omitted from a step704, and in this case the first set of cryptographic parameters 126 orsubset of cryptographic parameters 126 a from a step 703 could be usedby a module 101 in a subsequent step 515 or a step 316 below in FIG. 7.In embodiments where module 101 uses an eUICC 163, the second set ofcryptographic parameters in a step 704 could comprise the set ofcryptographic parameters 126 within a received eUICC profile 311, and amodule 101 could receive the second set of cryptographic parameters 126using a system bus 101 d. In other words, when a module 101 is depictedin FIG. 7 and other Figures herein as receiving data, exemplaryembodiments contemplate that a CPU 101 b within module 101 receiving thedata using a system bus 101 d, and thus the received data could also belocally stored or recorded within a module 101.

The module 101 can send cryptographic parameters 126 from step 703 in amodule encrypted data 403 and the module 101 can receive cryptographicparameters 126 from the server in a server encrypted data 504. In thismanner, module 101 can securely communicate cryptographic parameters 126without first deriving a module public key 111 and module private key112. An agreed subset of cryptographic parameters 126 a as illustratedin FIG. 1i may be necessary for module 101 to derive a compatible modulepublic key 111 for the server 105. A system 100 and other systemsillustrated herein can be flexible for supporting a wide range ofmodules 101 and servers 105, while remaining reasonably secure, by both(i) encrypting proposed cryptographic parameters 126 using the sharedsecret key 129 and (ii) agreeing on a subset of cryptographic parameters126 a as illustrated in FIG. 1 i.

After step 704, module 101 can then derive a first module public key 111and a first module private key 112 pair, and record the values in amemory, which could comprise a nonvolatile memory such as flash memory101 w. In this manner, the key pair can be available to module 101 uponrecovery from lost power. A module 101 could use (i) a step 515 depictedand described in connection with FIG. 5b or, (ii) a step 316 depictedand described in connection with FIG. 3b and FIG. 5b in order to derivethe key pair, and could also use the second set of cryptographicparameters 126 obtained through a step 704 above (which could comprise asubset of cryptographic parameters 126 a). In embodiments where a module101 uses an eUICC 163 to connect with a wireless network 102, a profileactivation step 316 can be used in FIG. 7 to populate or record aderived module PKI key pair 315 within an activated MNO networkcredentials 314 for an activated eUICC profile 313. At step 515, or astep 316 in FIG. 7 for embodiments where a module 101 uses an eUICCprofile 313, module 101 can derive module private key 112 and acorresponding module public key 111 using (i) random number generator128, (ii) the second set of cryptographic parameters 126 or the secondsubset of cryptographic parameters 126 a from a step 704, (iii)cryptographic algorithms 141, and (iv) a key pair generation algorithm141 e. In an embodiment where the set of cryptographic parameters 126are omitted from a step 704, then (i) in a step 515 in FIG. 7 module 101could use the first set of cryptographic parameters 126 from step 703,or (ii) in a step 316 in FIG. 7 module 101 could use the set ofcryptographic parameters 126 recorded in the activated eUICC profile313, which could also comprise the same or equivalent set ofcryptographic parameters 126 recorded in the received eUICC profile 311.The set of cryptographic parameters 126 recorded in the activated eUICCprofile 313 could also comprise a subset of cryptographic parameters 126a as illustrated in FIG. 1 i.

Module private key 112 and corresponding module public key 111 can bederived in a step 515 or a step 316 according to a wide range ofparameters 126, and can be selected from different algorithms, such asRSA 153 or ECC 154. Key derivation at step 515 could generate keys ofdifferent lengths, such as 2048 bits with RSA 153 or 283 bits with ECC154, and other possibilities exist as well. If using ECC 154 to derive apair of keys for module 101, a step 515 or a step 316 in FIG. 7 couldalso accommodate the use of different elliptic curves for compatibilitywith server 105, such as the use of odd-characteristic curves, Koblitzcurves, etc. Additional example elliptic curves utilized in thegeneration or derivation of a key pair include the curves sect283k1,sect283r1, sect409k1, sect409r1, etc., which are identified as examplecurves in IETF RFC 5480, titled “Elliptic Curve Cryptography SubjectPublic Key Information”.

The ECC curve for a derived module public key 111 and module private key112 can be specified in a subset of cryptographic parameters 126 a froma step 704. Consequently, the parameters of keys generated by module 101at a step 515 (including key length or algorithms utilized) may beselected based upon the requirements of the application and can beincluded in a set of cryptographic parameters 126. When deriving keys ata step 515 or a step 316, in an exemplary embodiment module 101 may alsopreferably utilize data from sensor 101 f, radio 101 z, a bus 101 d, aphysical interface 101 a, memory 101 e, and/or a clock 160 in order togenerate a seed 128 b for random number generator 128, or random numbergenerator 128 could utilize these inputs directly. A random number canbe input into key pair generation algorithm 141 e in order to derive themodule public key 111 and module public key 112 (with normally themodule private key 112 being derived first with a key pair generationalgorithm 141 e). Since a module 101 may utilize a plurality of module101 PKI key pairs during its lifetime, including the possibility ofusing multiple module private keys 112 concurrently, such as usingdifferent module private keys 112 for different purposes, in exemplaryembodiments module 101 can also derive a module public key identity 111a for module public key 111 at a step 515 or a step 316 in FIG. 7. Atsubsequent steps where module 101 sends the module public key 111, themodule 101 can also send the module public key identity 111 a. In thismanner, module 101 and a server 105 can properly track which modulepublic key 111 is being used for any given set of communications withmodule 101 using PKI.

Upon key derivation at step 515 of FIG. 7, or a profile activation step316 for embodiments where a module 101 uses an eUICC to connect with awireless network 102, module private key 112 and module public key 111can be recorded in a nonvolatile memory 101 w. In an exemplaryembodiment, module private key 112 is preferably not transmitted or sentoutside module 101. Note that module 101's internal derivation, orprocessing or creation, of module private key 112 and correspondingmodule public key 111 can have many benefits. First, module private key112 does not need to be recorded in any other location than withinmodule 101, and thus may also be considered not shared. Recording moduleprivate key 112 only within module 101 avoids potential security risksof (i) storing or recording module private key 112 in other locations,such as with module provider 109, mobile network operator 108, or aninstaller or end user of module 101, and (ii) transferring moduleprivate key 112 from these other locations. A primary security risk fromstorage of module private key 112 outside module 101 is thatunauthorized 3rd parties may gain access to the module private key 112.

For embodiments where a module 101 uses an eUICC 163 to connect with awireless network 102, the derivation of a module PKI key pair in a step316 can benefit a mobile network operator, since a module private key112, which can serve as the foundation for subsequent communicationswith a wireless network 102, does not depend on the transmission of amodule private key 112 through 3^(rd) parties. In exemplary embodimentswhere a module 101 uses an eUICC 163 to connect with a wireless network102, module private key 112 can be derived at other times besides duringa profile activation 316 step, but the result of obtaining an activatedeUICC profile 313 can include steps associated with a profile activationstep 316 such that an activated MNO network credentials 314 includes amodule PKI key pair 315 that has been derived by a module 101.

Also note that over a potential lifetime of a decade or more ofoperation of module 101, each time a new module private key 112 may berequired (for various potential reasons outlined above, including theuse of new activated eUICC profiles 313 in embodiments where a module101 uses an eUICC 163 to connect with a wireless network 102), theexternal recording and/or transferring of module private key 112 incursa potential security risk. Security risks can be compounded if theexternal location records private keys 112 for a plurality of modules101. Also, by internally generating private key 112 at a step 515 or astep 316, module 101 can overcome significant limitations and costsrequiring the distribution of a pre-shared secret key Ki or K in theform of a SIM card or similar physical distribution of a pre-sharedsecret key.

At step 705, module 101 can send the module public key 111, and themodule public key 111 could be sent to a server 105 in a message 208that includes a module identity 110. In embodiments where a module 101uses an eUICC 163 to connect with a wireless network 102, a module 101can send the module public key 111 to a server 105 associated with thewireless network 102 in a step 705. The module 101 can also send themodule public key identity 111 a with the module public key 111 in astep 705. In an embodiment, the module 101 can send the module publickey 111 to a server different than server 105 used in a step 704, andthe different server could be a server associated with a certificateauthority 118 an mobile network operator 108, or a subscription manager164 if an eUICC 163 is used by module 101 to connect with a wirelessnetwork 102. The module identity 110 could be in the form of anencrypted module identity 110 a, or a network module identity 110 b inembodiments where a module 101 uses an eUICC 163. The module public key111 could be sent either as plaintext or within a module encrypted data403, where the shared secret key 129, or shared secret key 510 inembodiments where module 101 uses an eUICC 163, could be used as asymmetric key 127 with a symmetric ciphering algorithm 141 b. By sendingthe module public key 111 in a module encrypted data 403, a system 100and other systems contemplated herein may be kept more secure, sinceother nodes besides server 105 would not be able to (i) read the modulepublic key 111 or (ii) use the module public key 111 for sending module101 unauthorized or fraudulent server encrypted data 504 with anasymmetric ciphering algorithm 141 a and the module public key 111.

Although not illustrated in FIG. 7, at step 705 server 105 couldauthenticate message 208 at step 705 that includes the module public key111 in order to ensure that module public key 111 is properly associatedwith module identity 110 and that module public key 111 is notfraudulently submitted by another node or module 101 attempting to sendthe data. In an exemplary embodiment, at step 705 module 101 could usethe steps for authentication of the message 208 containing module publickey 111 using the authentication from a step 704. In an exemplaryembodiment, module 101 could perform steps to authenticate with a serverdepicted and described in connection with step 1202 of FIG. 12 in U.S.patent application Ser. No. 14/064,618, filed Oct. 28, 2013 in the nameof John Nix. Or, if module 101 sends module public key 111 in a step 705at a sufficiently short period of time after step 704, such as, but notlimited to, less than an exemplary minute after step 704, then theprevious authentication from step 704 may still be applicable. In thiscase, the authentication of module 101 at a step 705 could comprise theauthentication of module 101 from the prior step 704. Otherpossibilities exist as well without departing from the scope of thepresent invention for a module 101 to securely send a derived modulepublic key 111 to a server 105 in a step 705.

At step 706, module, module 101 can begin utilizing the new modulepublic key 111 and module private key 112 derived in a step 515 or astep 316 in FIG. 7, where new public key 111 was sent to a server 105and authenticated in Step 705. In exemplary embodiments where module 101uses an eUICC 163, before step 706 module 101 could also take theadditional steps depicted and described in connection with FIG. 9b belowin order to obtain a secret shared network key K 129 d for communicationwith wireless network 102. In exemplary embodiments where module 101communicates with a server 105 independently of an eUICC 163 (other thanpossibly using an eUICC 163 to obtain access to IP Network 107), thenthe additional steps illustrated in FIG. 9b to obtain a secure key K maybe optionally omitted.

At a step 706, module 101 could begin following normal operations of adata reporting steps 101 x illustrated in FIG. 3. At step 706, module101 can send a module encrypted data 403, where the module encrypteddata 403 could include either (i) a symmetric key 127 ciphered with anasymmetric ciphering algorithm 141 a and the server public key 114, or(ii) a server instruction 414 that could include a sensor measurement305 or other data. If module encrypted data 403 at step 706 includes aserver instruction 414, such as, but not limited to, an exemplary serverinstruction 414 depicted and described in connection with FIG. 6, thenmodule 101 could send or receive a symmetric key 127 before step 706 andcipher data in the module encrypted data using the symmetric key 127.Although not illustrated at step 706, module 101 can also send a moduleidentity 110, an encrypted module identity 110 a, or a network moduleidentity 110 b at a step 706. If module encrypted data 403 at step 706includes data encrypted with an asymmetric ciphering algorithm 141 a,the module 101 may also send a module digital signature 405 at a step706.

At step 707, module 101 can receive a response 209, where the response209 includes server encrypted data 504, and the server encrypted data504 can include a module instruction 502. In this step 707 a server 105can utilize the new module public key 111, resulting from the keygeneration by module 101 in a step 515 above in FIG. 7, to encryptserver encrypted data 504 in one of two ways. First, server 105 canencrypt server encrypted data 504 using an asymmetric cipheringalgorithm 141 a by ciphering with the new module public key 111. Second,server 105 can encrypt server encrypted data 504 using a symmetricciphering algorithm 141 b by utilizing a key derivation function 141 fincluding steps for ECDH 159 and (i) the new module public key 111 and(ii) the server public key 114 in order to derive a commonly sharedsymmetric key 127, which could comprise a derived shared secret key 129b. In this second instance, module 101 can decrypt server encrypted data504 in step 707 using a symmetric ciphering algorithm 141 b and thecommonly shared symmetric key 127 comprising a derived shared secret key129 b. Module instruction 502 at a step 707 could comprise an“acknowledgement” that a message 208 sent in a step 706 was properlyreceived. Other possibilities exist as well for a module 101 to receiveand process a server encrypted data 504 with a module instruction 502 ina step 707.

At step 708, module 101 or server 105 can determine or evaluate if a newmodule private key 112 and module public key 111 are required forcontinued operation. Another node associated with mobile networkoperator 108 besides server 105 could also determine if the use of newPKI keys are desirable in a step 708. Exemplary reasons for thegeneration of new keys by a module 101 were described at the beginningto this FIG. 7. One reason could be the expiration of a certificate 122for module 101, or equivalently the expiration of a time-to-live valuefor a module public key 111 if module public key 111 is not recorded inthe form of a certificate 122. A second exemplary reason could be thatmodule 101 may wish to connect with a new wireless network 102 thatrequires the use of PKI techniques for authentication, but also adifferent set of cryptographic parameters 126 or algorithms in order formodule 101 to communicate through a new wireless network 102. In anexemplary embodiment, a set of cryptographic parameters 126 for a server105 may change or be different than with a previous server 105, such as,but not limited to, (i) using a different elliptic curve or a differentset of asymmetric ciphering algorithms 141 a, or (ii) requiring longerkey lengths. Module 101 may need to derive at a step 708 a new set of acompatible module public key 111 with a corresponding module private key112. A third exemplary reason could be that module 101 prefers to use adifferent received eUICC profile 311 in order to connect with adifferent wireless network 102 than the wireless network 102 utilizedfor communication in a step 705 or step 706.

Other examples for reasons that a module 101 may need new public/privatekeys after installation with a monitored unit 119 exist as well, and anycould be a reason for module 101 to determine to utilize newpublic/private keys. If module 101 and/or a server 105 determine thatnew keys are not required at step 708, module 101 can then proceed to astep 309 and wait for a specified interval before taking further action.As illustrated in FIG. 7, the further action could comprise returning toa step 706 and the module could continue to periodically report dataregarding a monitored unit 119 in the form of periodically sending amessage 208 to server 105, and the message 208 could contain a sensordata 305, or other data for the remote monitoring and/or control of amonitored unit 119. In an exemplary embodiment, the determination at astep 708 could be made at other times as well, such as before a step 707or a step 706.

Either a module 101 or a server 105 could determine if the use of newmodule 101 PKI keys are preferred or desirable in a step 708. Ascontemplated herein, the term “PKI keys” can refer to a pair of keyscomprising a module public key 111 and a module private key 112. In theembodiment where a server 105 or another node associated with mobilenetwork operator 108 determines or evaluates that the use of new module101 PKI keys are preferred or required in a step 708, then at a step 607a server 105 could send a signal to module 101 to derive new PKI keys.An exemplary signal for module 101 to derive new PKI keys in a step 607could be in the form of an exemplary response 209 illustrated in FIG. 6,where the response 209 includes a module instruction 502 of “derive newPKI key pair”. If a module 101 determines on its own (i.e. withoutreceiving a signal from a server 105 for deriving new keys), then step607 may be omitted, and otherwise a step 607 can otherwise be useful orrequired in order to signal that a module 101 should derive new PKIkeys. In an exemplary embodiment, a step 607 may require sending themodule instruction 502 of “derive new PKI key pair” within a response209, where module 101 may previously have sent a message 208. The reasoncan be that a module 101 may operate behind a firewall 104 orperiodically sleep, and in this case a server 105 may not be able tosend a module 101 the module instruction 502 at arbitrary times, butmust wait until after module 101 first sends a message 208 beforesending the module instruction 502 of “derive new PKI key pair” in aresponse 209.

A step 607 can also comprise a module 101 receiving a third set ofcryptographic parameters 126 or a subset of cryptographic parameters 126a. A third set of cryptographic parameters 126 or a subset ofcryptographic parameters 126 a can also be optionally omitted from astep 607 and in this embodiment a prior set of cryptographic parameters126 or a subset of cryptographic parameters 126 a, such as theparameters 126 (i) received by a module 101 in a step 704 above, or (ii)initially recorded in a step 703 could apply. In a step 607 a module 101can send a set of cryptographic parameters 126 and receive a thirdsubset of cryptographic parameters 126 a. Or, a module can receive athird set of cryptographic parameters 126 and send a subset ofcryptographic parameters 126 a. The subset of cryptographic parameters126 a could comprise a (i) single value such as specifying a named curvewithin an ECC standard curve 138, a modulus to use with an RSA algorithm153, or a time value for a new module public key 112, or (ii) multiplevalues such as two or more selected from an exemplary subset ofcryptographic parameters 126 a illustrated in FIG. 1i . Note that in astep 607 the module instruction 502 of “derive new PKI key pair” or asimilar signal could be received by a module 101 in a separate packetthan either a set of cryptographic parameters 126 or a subset ofcryptographic parameters 126 a.

In addition, in a step 607 the module instruction 502 of “derive new PKIkey pair” or a similar signal could be received by a module 101 eitheras plaintext in a packet or within a server encrypted data 504. Further,in a step 607 the third set of cryptographic parameters 126 or thesubset of cryptographic parameters 126 a could be received by a module101 either as plaintext in a packet or within a server encrypted data504. As illustrated in FIG. 7, the set of cryptographic parameters 126or the subset of cryptographic parameters 126 a could comprise a 3^(rd)set of cryptographic parameters 126, and the 3^(rd) set of cryptographicparameters 126 may be the same or different than a 2^(nd) set ofcryptographic parameters 126 received in a step 704. In an exemplaryembodiment, a step 607 comprises receiving the third set ofcryptographic parameters 126 and a module instruction 502 in the form ofa received eUICC profile 311 for an eUICC 163. The data received bymodule 101 at a step 607 in FIG. 7 could include a second received eUICCprofile 311, for embodiments where a module 101 uses an eUICC 163 toconnect with a wireless network 102, where the second received eUICCprofile 311 can be different than a first eUICC profile 311 used in astep 316 in FIG. 7.

At step 709 the module 101 can use the third set of cryptographicparameters 126 received in a step 607 to derive a second module privatekey 112 and a second module public key 111. Module 101 could use a step515 or a step 316 in order to derive the second module private key 112and second module public key 111 at a step 709. In embodiments where amodule 101 uses an eUICC 163 to connect with a wireless network 102, astep 709 could comprise module 101 deriving a second module PKI key pair315 for use in a second activated MNO network credentials 314 (differentfrom the first set of activated MNO network credentials 314 from a step316 above in FIG. 7), and the third set of cryptographic parameters 126in a step 709 could comprise the set of cryptographic parameters 126received in the received eUICC profile 311 from a step 607 above. Inother embodiments, the use of an eUICC 163 by module 101 is not requiredin a step 709, and a step 709 to derive new module PKI keys can beindependent of the presence or use of an eUICC 163. In other words, amodule 101 and a server 105 can use some embodiments of the presentinvention illustrated in FIG. 7 and other Figures herein independentlyof the presence of an eUICC 163 and related profiles, while otherembodiments may use an eUICC 163 and related profiles.

At step 709, module 101 can derive the second module private key 112 anda corresponding second module public key 111 using (i) random numbergenerator 128, (ii) the third set of cryptographic parameters 126 or thethird subset of cryptographic parameters 126 a from a step 607, (iii)cryptographic algorithms 141, and (iv) a key pair generation algorithm141 e. In an embodiment where the second set of cryptographic parameters126 are omitted from a step 607, then in a step 709 module 101 could useeither (i) the first set of cryptographic parameters 126 from step 703or (ii) the second set of cryptographic parameters 126 or 126 a from astep 704. In a step 709 a module 101 can also derive and a assign amodule public key identity 111 a to be associated with the second modulepublic key 111, where the module public key identity 111 a can be usedto identify and select the second module public key 111 from a firstmodule public key 111 potentially from a step 515 above. In other words,a second module public key 111 can be associated with a second modulepublic key identity 111 a and a first module public key identity can beassociated with a first module public key identity 111.

According to the set of cryptographic parameters 126 or 126 a used in astep 709, in an exemplary embodiment the module PKI keys derived in astep 709 can be associated with a different asymmetric cipheringalgorithm 141 a than the module PKI keys derived in a step 515 or a step316 in FIG. 7. For example, the first module PKI keys in a step 515 orstep 316 in FIG. 7 could utilize a first ECC standard curve 138, whilethe second module PKI keys in a step 709 could use a second ECC standardcurve 138. Or, the first module PKI keys in a step 515 or a step 316 inFIG. 7 could utilize an RSA algorithm 153, while the second module PKIkeys in a step 709 could use an ECC algorithm 154. In another embodimentat step 709, the first module PKI keys in a step 515 or step 316 in FIG.7 could utilize an RSA algorithm 153 with a shorter key length, such as,but not limited to, an exemplary 1024 bits, while the second module PKIkeys in a step 709 could use an RSA algorithm 153 with a longer keylength such as, but not limited to, an exemplary 2048 bits. Further, thefirst module PKI keys in a step 515 or step 316 in FIG. 7 and the secondmodule PKI keys in a step 709 could use the same algorithm and keylength. Other possibilities for differences or similarities between thefirst module PKI keys in a step 515 or step 316 and the second modulePKI keys in a step 709 are possible as well without departing from thescope of the present invention.

After deriving the second module PKI keys in a step 709, at step 710 themodule 101 can send the second module public key 111 with the moduleidentity 110 to a server 105. In embodiments where a module 101 uses aneUICC 163 to connect with a wireless network 102, the module 101 cansend the second module public key 111 associated with an activated eUICCprofile 313 with the network module identity 110 b to a server 105associated with (i) wireless network 102 and/or (ii) subscriptionmanager 164. In exemplary embodiments, the second module public key 111can be sent with the second module public key identity 111 a. The module101 can send the data in a message 208. In an exemplary embodiment themodule 101 can send (i) the second module public key 111 and a moduleidentity 110, and (ii) authenticate or verify data sent by module 101 ina step 710 using the first module private key 112 from a step 515 or astep 316 in FIG. 7. The authentication or verification of data sent bymodule 101 in a step 710 could comprise verifying or authenticating datasent with the second module public key 111, such as verifying orauthenticating module identity 110 or a network module identity 110 b.Or the authentication or verification of data sent by module 101 in astep 710 could comprise verifying or authenticating the second modulepublic key 111, and other possibilities exist for a module 101 to sendthe second module public key in an authoritative manner.

In an exemplary embodiment, in a step 710 the module 101 can use thefirst module private key 112 to verify or authenticate the second modulepublic key 111 sent using at least one of several sub-steps. Thesub-steps at a step 710 to verify the second module public key 111 usingthe first module private key 112 could comprise any of (i) sending thesecond module public key 111 and a module identity 110 with or in amodule encrypted data 403 that uses a symmetric ciphering algorithm 141b, where the symmetric key 127 for encrypting and decrypting the moduleencrypted data 403 at step 710 could previously be communicated beforestep 710 using the first module private key 112 (such as, but notlimited to, a module 101 receiving the symmetric key 127 from a server105 in a server encrypted data 504, where the server encrypted data 504was deciphered with an asymmetric ciphering algorithm 141 a and thefirst module private key 112), (ii) sending the second module public key111 and module identity 110 with a module digital signature 405 wherethe module digital signature 405 is calculated or processed by module101 using the first module private key 112 from a step 515 in FIG. 7,(iii) using a derived shared secret key 129 b with a message digestauthentication for verifying a sent message 208 with the second modulepublic key 111 at step 710, where the derived shared secret key 129 bwas processed using a key derivation function 141 f and the first moduleprivate key 112, and/or (iv) using a derived shared secret key 129 b asa symmetric key 127 for encrypting data sent with the second modulepublic key 111, where the derived shared secret key 129 b was processedusing a key derivation function 141 f and the first module private key112.

Other possibilities exist as well without departing from the scope ofthe present invention for using the first module private key 112 from astep 515 or a step 316 in order for a module 101 to verify orauthenticate data sent with the second module public key 111 at a step710. As illustrated in FIG. 7, after step 710, the module 101 can returnto a step 706 and continue regular operation such as, but not limitedto, collecting sensor data 305 and sending the data periodically in amodule encrypted data 403. In embodiments where a module 101 uses aneUICC 163, module 101 could send and receive application data with asecond wireless network 102 after completing step 710. Upon returning tostep 706, the module encrypted data 403 could use the second module PKIkeys derived in a step 709. In embodiments where module 101 returns tostep 706, depicted values for subsequent steps could increment, suchupon returning to step 709 for a second time, then the depicted valuesfor “second module public key” and “3rd parameters” could become “thirdmodule public key” and “4^(th) parameters” at the second iteration ofstep 709, etc.

Benefits of using the first module private key 112 in authentication ofthe second module public key 111 at a step 710 include a server 105could use the first module public key 111 received by server 105 in astep 705 in order to authenticate or verify the correct module 101 sendsthe second module public key 111. In addition, module 101 maycommunicate with a plurality of servers 105, including servers fromdifferent mobile network operators 108 over time. The plurality ofservers 105 could share the first module public key 111 such that when astep 710 occurs, module 101 may send the second module public key 111and module identity 110 to a different server 105 than the server 105from a step 705 or step 706. In embodiments where a module 101 uses aneUICC 163 in order to connect with a wireless network 102, either (i)different wireless networks 102 or (ii) an eUICC subscription manager164 could share the first module public key 111 in order to authenticatethe second module public key 111 in a step 710 of FIG. 7.

In other words, the substeps described in connection with a step 710 asdescribed in the preceding three paragraphs could be conducted by aserver 105 using the first module public key 111 received in a step 705in order to authenticate the second module public key 111 from a step709 (and a module 101 could use the first module private key 112 for theauthentication of the second module public key 111). By module 101authenticating or verifying data with the second module public key 111using the first module private key 112, the different server 105 couldaccess and use the first module public key 111 in authentication orverification steps performed by the different server 105 in order forthe server to securely receive the second module public key 111.Security for a server 105 in future steps, such as securely receivingfuture messages 208 after a step 710 can depend on a server 105recording the correct second module public key 111 for a module 101,including preventing unauthorized or fraudulent parties from attemptingto send the second module public key 111.

In an exemplary embodiment, the module identity 110 in a step 710, andother steps for communication a module identity 110 in FIG. 7, couldcomprise an encrypted module identity 110 a. Module 101 could sent theencrypted module identity 110 a with an algorithm token 190, and aserver 105 could use a secret ciphering algorithm deciphering 162 inorder to convert the encrypted module identity 110 a into a plaintextmodule identity 110. In this manner, the module identity 110 could besecurely transmitted across a public network such as the IP Network 107.The second module public key 111 in a step 710 could be sent in a moduleencrypted data 403, such that third parties may not reasonably be ableto read the plaintext second module public key 111. As noted elsewhereherein, any given module public key 111 may not need to be publiclyshared and could remain confidential for an mobile network operator 108,and in this manner the security for communications between module 101and server 105 can be further increased, since a potential attackercould be prevented from having reasonable access to a module public key111. Further, module 101 could use a plurality of module public keys 111for different purposes, including different module public keys beingassociated with different asymmetric ciphering algorithms 141 a. A firstmodule public key 111 could be used with a first wireless network 102(possibly in the form of an activate MNO network credentials 314), asecond module public key 111 could be used for verifying module digitalsignatures 405, and a third module public key 111 could be for adifferent mobile network operator 108, etc. The use of different modulepublic keys 111 could be specified using a module public key identity111 a. In exemplary embodiments, a first subset of the module publickeys 111 may be sent by a module 101 in a module encrypted data 403 anda second subset of the module public keys 111 could be sent by themodule 101 as plaintext within a datagram.

As illustrated in FIG. 7, the collection of steps from step 515 throughstep 710, including loops through a step 309, can collectively compriseindividual sub-steps for a step 712 as depicted in FIG. 7. Step 712 caninclude a plurality of sub-steps including module 101 deriving a firstset module PKI keys at a step 515, determining that a new set of modulePKI keys are needed in a step 708, receiving a new set of cryptographicparameters 126, and deriving a second set of module PKI keys using thenew set of cryptographic parameters 126 in a step 709, and sending thenew, second module public key 111 while performing authentication in astep 710, etc. In addition, the collection of steps from step 702through step 704 can comprise sub-steps for a step 711. A step 712,comprising the collection of sub-steps as depicted and described FIG. 7,may be utilized in FIG. 9a below. A step 711 may be utilized in FIG. 10below.

FIG. 8

FIG. 8 is a simplified message flow diagram illustrating an exemplarymessage sent by a module, wherein the message includes a derived modulepublic key, in accordance with exemplary embodiments. As discussed inFIG. 5b , there can be cases where module 101 derives a new modulepublic key 111 and new module private key 112. On example would be theinitial creation of the key pairs by module 101, and many other examplescould exist as well. FIG. 8 can illustrate an exemplary format andcontents of a message 208 for steps 710 of FIG. 7. This exemplarymessage 208 can also help to illustrate the significant differences fromconventional technology and improvements for efficient and securecommunications by utilizing embodiments contemplated herein. Since amessage 208 illustrated in FIG. 8 could be related to more than onemodule public key 111, as depicted and described herein the new modulepublic key 111 can be referred to as new module public key 111′ and theprior applicable module public key 111 can be referred to as modulepublic key 111. Likewise, a new module public key identity 111 a can bereferred to as a new module public key identity 111 a′, and the priorapplicable module public key identity 111 a can be referred to as modulepublic key identity 111 a.

A message 208 illustrated in FIG. 8 using a step 710 from FIG. 7 caninclude (i) sending new module public key 111′, a module public keyidentity 111 a′, a module identity 110, a server instruction 414, asecurity token 401, a subset of cryptographic parameters 126 aassociated with (i) the new module public key 111′ and/(ii) orcryptographic algorithms 141 for using the new module public key 111′.Exemplary cryptographic parameters 126 a illustrated in FIG. 8 include(i) a secure hash algorithm 141 c to utilize in signatures, which couldcomprise the SHA 256 algorithm as shown (which may also be known as theSHA-2 algorithm), (ii) a selected elliptic curve for use with ECCalgorithms 154 or a modulus to use with RSA algorithms 153, and (iii) atime-to-live value for the new module public key 111′, such as, but notlimited to, the illustrated “time to live” value of 1 year shown in FIG.8. The time value for the validity of new module public key 111′ couldalternatively be specified in a set expiration date. Other valuesassociated with cryptographic algorithms 141 could be included in a setof cryptographic parameters 126 as well, and the illustrated values areintended to be exemplary instead of limiting. In exemplary embodiments,the set of cryptographic parameters 126 in a message 208 could comprisea set of cryptographic parameters 126 depicted and described inconnection with FIG. 1i . Or, module 101 could send a set ofcryptographic parameters token 126 c to identify a set of cryptographicparameters 126 instead of sending the complete list of cryptographicparameters 126. Note that a set of cryptographic parameters 126 or 126 aor token 126 c could be optionally omitted in the message 208illustrated in FIG. 8 when a prior message 208 or step had negotiated orestablished the set of cryptographic parameters 126 or 126 a to use withthe new module public key 111′.

Additional values or fields within a message 208 associated withcommunicating a new module public key 111′ with a server 105 couldinclude a server instruction 414 of “new public key”. This serverinstruction 414 could inform server 105 to utilize the new module publickey 111′ within the message 208. Module public key identity 111 a′ caninclude a sequence number or identity for the new module public key111′, such that module 101 or server 105 can properly reference and/orrecord the key from a plurality of module public keys 111 that could beassociated with module identity 110. Although module public key identity111 a′ is illustrated as a separate field in server instruction 414,module public key identity 111 a′ could optionally be included in a setof cryptographic parameters 126, such that the value withincryptographic parameters 126 specifies a current sequence number ofmodule public key identity 111 a′ for the new module public key 111′included in a message 208. In addition, although the module public keyidentity 111 a′ illustrated in FIG. 8 could be a sequence number, themodule public key identity 111 a′ could also optionally be globallyunique. For example, the module public key identity 111 a′ couldcomprise a combination of a unique serial number from a module 101 andthen a sequence number. With a globally unique module public keyidentity 111 a, a server 105 reading the module public key identity 111a could determine a module 101 with a module identity 110 associatedwith any given module public key identity 111 a.

Other fields and features within a message 208 as illustrated in a FIG.8 can be similar or equivalent to the fields presented in FIG. 6. In anexemplary embodiment, the new module public key 111′ can be transmittedby a module 101 using at least one of (i) channel coding 406 for a body602 of message 208 and/or (ii) forward error correction such thatmessage 208 could be transmitted multiple times concurrently in order toincrease the probability of receipt by a server 105. In an exemplaryembodiment, a message 208 containing the new module public key 111′could be sent by module 101 three times concurrently, and otherpossibilities exist as well. In an exemplary embodiment, the moduleidentity 110 could be included within an encrypted module identity 110a. Module 101 could use a secret symmetric ciphering algorithm 161 toencrypt the module identity 110. In another embodiment illustrated inFIG. 8, module identity 110 could be sent as plaintext within themessage 208 that includes the new module public key 111′.

For a message 208 in FIG. 8 comprising a message for a step 710 in FIG.7, each of (i) destination IP:port number 207, (ii) parameters 126, and(iii) shared secret key 510 could be updated by server 105 using amodule instruction 502 within a server encrypted data 504 before message208 illustrated in FIG. 8 is transmitted or sent by module 101. Afterreceiving message 208, server 105 can use the module identity 110illustrated in a body 602 of FIG. 8 to select at least one of (i) asymmetric key 127 associated with module identity 110, where thesymmetric key 127 could comprise a session key, and/or (ii) a priormodule public key 111 associated with the module identity 110. Thesymmetric key 127 could be established in steps such as a step 706 orthe prior module public key 111 (i.e. not the new module public key 111′in FIG. 8) sent in a step 705. The server 105 can use the selectedsymmetric key 127 or selected prior module public key 111 toauthenticate message 208. As described in step 710 of FIG. 7 andelsewhere herein, a server 105 may preferably authenticate message 208that includes new module public key 111′ in order to confirm that modulepublic key 111 originated from physical module 101 with a hardwaremodule identity 110 (as opposed to being an imposter submitting the newmodule public key 111′). In one example, successfully decryption themodule encrypted data 403 using the symmetric key 127 would authenticateor verify the message 208, since only the valid and correct module 101could reasonably have access to the symmetric key 127 to encrypt the newmodule public key 111′. Other possibilities exist as well for a module101 to authenticate a message 208.

Although not illustrated in FIG. 8, in an exemplary embodiment newmodule public key 111′ could also be sent in a message 208, where thenew module public key 111′ and parameters 126 (if present) can beincluded in plaintext format within a datagram 601 a. The security of asystem 100 and other systems illustrated herein can be further increasedby both (i) ciphering new module public key 111′ and the set ofcryptographic parameters 126, and (ii) only sharing the new modulepublic key 111′ in a confidential manner with server 105 and/or a set ofservers 1010. If module 101 needed a module public key 111 for otherpurposes, such as, but not limited to, obtaining a certificate 122, thena second, publicly disclosed module public key 111 could be utilized toauthenticate a message 208 from FIG. 8 that is sent as plaintext withoutsymmetric ciphering 141 b, where the second module public key 111 isdifferent than and sent before the new module public key 111′ that issent to a server 105 in a module encrypted data 403.

Although not illustrated in FIG. 8, in an exemplary embodiment, newmodule public key 111′ can be authenticated with server 105 using amodule digital signature 405. When message 208 illustrated in FIG. 8comprises a message for a step 710 illustrated in FIG. 7, such that aprior module public key 111 has previously been sent to server 105 suchas in a step 705, then message 208 could include a module digitalsignature 405 using the previous module private key 112 (i.e. not thenew module private key 112 associated with the new module public key111′ in the message 208 shown in FIG. 8). In another embodiment, moduledigital signature 405 could be omitted, and message 208 with new modulepublic key 111′ could be authenticated using a message digest algorithmand a shared secret key 129, where the shared secret key could be sentusing a step 706 or 707 from FIG. 7. Other possibilities for a module101 to send a new module public key 111′ in a message exist as wellwithout departing from the scope of the present invention.

FIG. 9a

FIG. 9a is a flow chart illustrating exemplary steps for a module to usea shared secret key to authenticate with a server, in accordance withexemplary embodiments. In order to utilize communications secured withPKI techniques such as private keys, public keys, certificates, andidentities, a module 101 may preferably obtain or generate these keysand certificate in a secure manner. In exemplary embodiments, thedistribution of module 101 may include the possession or control ofmodule 101 passing through entities outside of the control of a moduleprovider 109 and/or a mobile network operator 108. Consequently, module101 may need a secure method of authenticating with a server 105 afterdistribution and upon the initiation of operation with a monitored unit119. Note that securely initiating communications after distribution,potentially through third parties outside the control of module provider109 and/or mobile network operator 108 can be a challenge withconventional technology since keys such as a pre-shared secret key 129 a(such as a traditional key K in a SIM) or private keys not internallyderived may need to also pass through the distribution channel in orderto initiate secure communication with conventional technology. FIG. 9aillustrates an embodiment of the present invention, where a module 101can begin secure communication with a server 105 without passing anykeying material through a distribution channel. In this manner, (i) asystem such as system 100 and other exemplary systems 100 can be mademore secure, and (ii) the additional handling costs of passing keyingmaterial through a distribution channel, possibly in the form of asecret key in a SIM card or UICC, can be avoided.

At step 901, a manufacturer can complete manufacturing of a module 101,including assembling the hardware, software, and/or firmware componentsillustrated in FIG. 1b and FIG. 1c . A module identity 110 and componentparameters 101 t can be recorded in a step 901. The module identity 110could be recorded in a protected address, such as, but not limited to aROM 101 c or other address on a system bus 101 d. A protected address isalso described in connection with FIG. 7 and elsewhere herein. Thecomponent parameters 101 t could be recorded with each of the exemplarycomponents illustrated in FIG. 1 b, FIG. 1c , and FIG. 1e . Exemplarycomponent parameters 101 t are depicted and described in connection withFIG. 1e . The component parameters 101 t could be read using a systembus 101 d and recorded into nonvolatile memory such as, but not limitedto, flash memory 101 w in a module 101. Or, the module manufacturercould read or specify the individual component parameters 101 t beforeassembly of module 101 and record the collection of component parameters101 t into a file. At a step 901 the component parameters 101 t could berecorded into a file for storage in module 101 and a server 105. Inexemplary embodiments, both module 101 and server 105 can record themodule identity 110 and component parameters 101 t.

At step 902, a module program 101 i, a first set of cryptographicparameters 126, and a server address 207 can be recorded into anonvolatile memory such as, but not limited to, a flash memory 101 w.Step 902 can occur at one of several possible points in time betweenmodule 101 manufacturing and installation with a monitored unit 119.Step 902 could be performed by the manufacturer during manufacturing.Step 902 could be performed by a distributor during distribution. Step902 could be performed by a technician or end-user upon installation ofmodule 101 with a monitored unit, and other possibilities exist as wellfor the time when a step 902 could occur. The server address 207 couldcomprise a server name 206 instead of an IP address, and module 101could use the server name 206 at a later step to lookup a server IPaddress 207 using DNS or DNSSEC. A set of cryptographic parameters 126are depicted and described in connection with FIG. 1d and FIG. 1i andelsewhere herein. A module program 101 i is depicted and described inconnection with FIG. 1b . Note that many other parameters and values maybe loaded into a non-volatile memory 101 t besides the ones illustratedin step 902 of FIG. 9a , including data for connecting with a wirelessnetwork 102, and FIG. 9a illustrates an exemplary set of steps in orderto utilize the efficient and secure systems and methods forcommunication contemplated herein. As one example, a module 101 couldalso include a SIM card, a UICC, or an embedded UICC 163 (eUICC), inaddition to recording in a module 101 the data illustrated at step 902of FIG. 9a . In accordance with an exemplary embodiment, the dataillustrated at a step 902 of FIG. 9a can be recorded in a SIM card,UICC, or eUICC 163. For embodiments with an eUICC 163, the data recordedin a step 902 could be included within a received eUICC profile 311.Thus, although other embodiments of the present invention illustrated inFIG. 9a (other embodiments contemplated in the previous two sentences)allows a module 101 to securely initiate communication with a server 105without depending on pre-shared security keys such as a SIM card oreUICC 163, the pre-shared materials in traditional mobile networks suchas SIM cards and a eUICC could include the data and techniquescontemplated herein.

At step 903, the module 101 can derive a shared secret key 129 c usingthe component parameters 101 t. In an exemplary embodiment, the module101 can derive the shared secret key 129 c using the steps depicted anddescribed in connection with FIG. 1f and FIG. 1h . Module 101 could usethe set of component parameters 101 t and an algorithm token 190 asinput into a shared secret algorithm 141 g, with an output of the sharedsecret key 129 c. Although not illustrated in FIG. 9a , a server 105could record or could query a module database 105 k for the same set ofcomponent parameters 101 t with the module identity 110 and sharedsecret algorithm 141 g, and upon receipt of the module identity 110 andalgorithm token 190, then the server 105 could derive the same sharedsecret key 129 c.

After step 903, upon connection to the IP Network 107, possibly througha wireless network 102, module 101 could conduct a step 904. In step904, module 101 can perform a 2-way authentication with a server 105using the shared secret key 129 c, where the shared secret key 129 c ina step 904 could be derived in a step 903. The server address 207 as thedestination of outbound packets, such as a message 208 to initiate theauthentication, could be recorded in a step 902 above. Module 101 cansend the algorithm token 190 used to derive the shared secret key 129 cin a step 903 to the server 105 in a message 208, in order for theserver 105 to derive the same shared secret key 129 c, where the server105 can use the same set of component parameters 101 t and shared secretalgorithm 141 g as depicted and described in connection with FIG. 1f .Note that a benefit of both nodes deriving the same or equal sharedsecret key 129 c is that only the algorithm token 190 may need to besent from module 101 to server 105 at a step 904, and the algorithmtoken 190 may also be sent as plaintext. Upon both nodes accessing thesame shared secret key 129 c, sub-steps can be taken by both nodes inorder to conduct the 2-way authentication using the shared secret key129 c. In an exemplary embodiment, module 101 can conduct the 2-wayauthentication using wireless network standards such as, but not limitedto, ETSI standard TR 131 900 v.10.0.0 and related documents.

At step 904, server 105 can authenticate module 101 using the moduleidentity 110 received in a message 208 and a message digest algorithm,such as described in IETF RFC 2617, titled “HTTP Authentication: Basicand Digest Access Authentication”, and other reasonably secureauthentications techniques using a shared secret key 129 c could beutilized without departing from the scope of the present invention. Inorder to authenticate, module 101 could take steps to demonstrate toserver 105 that module 101 holds the same shared secret key 129 c asserver 105. Module 101 can properly respond to a challenge/nonce in thesteps for a message digest by sending a secure hash value using (i) thechallenge/nonce from a server 105 and (ii) the shared secret key 129 c.Or, module 101 could authenticate by generating a module digitalsignature 405 in a message 208 using the shared secret key 129 c. Inaddition, module 101 could utilize the shared secret key 129 c as asymmetric key 127 to encrypt a module encrypted data 403 with symmetricciphering 141 b, and if server 105 could properly decrypt the moduleencrypted data 403 using the same shared secret key 129 c on the server,then server 105 would know the correct module 101 sent the message 208and thereby would be authenticated. Other possibilities exist as wellfor a module 101 to authenticate with a server 105 using a shared secretkey 129 c and a step 904 in FIG. 9a without departing from the scope ofthe present invention.

Continuing at step 904, module 101 can also preferably authenticateserver 105 in order to complete a 2-way authentication. Module 101 cantake steps to ensure or verify that server 105 with reasonable assurancealso holds the shared secret key 129 c. Module 101 could authenticateserver 105 using message digest, such that module 101 issues achallenge/nonce, and verifying that server 105 properly responds to thechallenge/nonce with a correct secure hash value, such as the outputfrom a secure hash algorithms 141 c. Or, server 105 could authenticatewith module 101 by the module receiving a server digital signature 506in a response 209 using the shared secret key 129 c. In addition, module101 could utilize the shared secret key 129 c as a symmetric key 127 todecrypt a received server encrypted data 504 with symmetric ciphering141 b, and if module 101 could properly decrypt the server encrypteddata 504 using the shared secret key 129 c, then module 101 wouldreasonably know the correct server 105 sent the response 208 and therebythe server 105 would be authenticated. Other possibilities exist as wellfor a server 105 to authenticate with a module 101 using a shared secretkey 129 c without departing from the scope of the present invention.

Continuing at step 904, module 101 can receive a set of cryptographicparameters 126, preferably after module 101 completes authenticationwith server 105 (in order for server 105 to not send the set ofcryptographic parameters 126 to unauthenticated 3^(rd) parties). A setof cryptographic parameters 126 received in a step 904 can also comprisea second set of cryptographic parameters 126, where the second set ofcryptographic parameters 126 could be different or the same as the firstset of cryptographic parameters 126 from a step 902. The set ofcryptographic parameters 126 at step 904 can comprise a subset ofcryptographic parameters 126 a as depicted and described in connectionwith FIG. 1i . Module 101 could send the set of cryptographic parameters126 recorded in step 902 to the server 105, and the server 105 couldrespond with a subset of cryptographic parameters 126 a. In anotherembodiment, server 105 could send module 101 a set of cryptographicparameters 126 at step 904, and module 101 could send a subset of thecryptographic parameters 126 a to the server. At step 904 either module101 or server 105 could send the subset of cryptographic parameters 126a. In either case, at the conclusion of step 904 the module 101 andserver 105 can preferably agree on a set of cryptographic parameters 126for use with cryptographic algorithms 141 for further communication. Inan exemplary preferred embodiment, a set of cryptographic parameters 126sent and/or received at a step 904 may preferably be encrypted using theshared secret key 129 c, such as using the shared secret key 129 c as asymmetric ciphering key 127. In this manner, module 101 and server 105can encrypt the set of cryptographic parameters 126 received in a step904, without requiring the secure transmission of a different key otherthan the mutually derived shared secret key 129 c.

After step 904, module 101 can then proceed to a step 712, where a step712 is depicted and described in connection with FIG. 7. As depicted anddescribed in connection with FIG. 7, step 712 can include a plurality ofsub-steps including module 101 (i) deriving a first set module PKI keysat a step 515, (ii) determining that a new set of module PKI keys areneeded in a step 708, (iii) receiving a new set of cryptographicparameters 126 in a step 607, and (iv) deriving a second set of modulePKI keys using the new set of cryptographic parameters 126 in a step709, and (v) sending the new, second module public key 111 withauthentication in a step 710, etc. In this manner, module 101 can use asecret shared key 129 c to initially establish secure communication witha server 105, and subsequently use the other steps illustrated in thepresent invention, such as, but not limited to, the steps illustrated inFIG. 7, in order to securely derive a series of module PKI key pairs andauthoritatively send a derived module public key 111.

Although not illustrated in FIG. 9, in exemplary embodiments, there canbe cases where a module 101 would return from step 712 back to priorsteps, including steps 902, 903, and/or, 904. After module 101 beginsoperation, such as, but not limited to, collecting sensor data 305associated with a monitored unit 119, module 101 could return to a step904 upon connection with a new set of servers 1010 (illustrated in FIG.10 below) where module 101 may prefer to conduct a 2-way authenticationof the set of servers 1010 in a step 904. In an exemplary embodiment,module 101 could utilize DNS and a server name 206 or a server identity206 in order to query or lookup a destination IP address 106 in order tosend a message 208. Since DNS records can change over time, and a mobilenetwork operator 108 could utilize different servers 105 or set ofservers 1010 over time, module 101 may determine that a destination IPaddress 106 associated with a DNS response can change. Upon a change inthe IP address 106 associated with a server 105, in an exemplaryembodiment, module 101 could return to a step 904 upon a change in IPaddress 106 in order to conduct the authentication of server 105 asecond time. In this exemplary subsequent return to step 904, the modulecould also receive another set of cryptographic parameters 126 or 126 aand use this set of cryptographic parameters 126 or 126 a upon asubsequent return to step 712.

In another exemplary embodiment, module 101 could return to either astep 903 or step 902 upon a reset or equivalent operation of module 101.After module 101 begins operation, such as, but not limited to,collecting sensor data 305 associated with a monitored unit 119, module101 could return to a step 903 or 902 upon receiving a reset command.The reset command could be received locally at module 101 by an end-useror technician, or remotely from a server 105 via a response 209 with amodule instruction 502 of “reset” or a similar command. The resetcommand could comprise a “factory reset” command in order to wipeconfidential data from module 101. A “reset” command could be receivedby a module 101 for many different purposes, including (i) a change inownership of module 101, (ii) a lack of payment from an end-user tomobile network operator 108, such that mobile network operator 108determines that operation of module 101 (and associated variable costssuch as the costs of using a network 102) should cease, (iii) a firmwareupgrade of module 101 where the new firmware requires a newconfiguration, and other possibilities exist as well for a module 101 toreceive a reset command. Upon receiving a reset command and returning toa step 902, module 101 could complete step 902 and subsequent steps.Upon receiving a reset command and returning to a step 903, module 101could complete step 903 and subsequent steps.

FIG. 9b

FIG. 9b is a flow chart illustrating exemplary steps for a module toderive a shared secret key K using a derived module PKI key, inaccordance with exemplary embodiments. Although the use of an embeddeduniversal integrated circuit card (eUICC) such as an eUICC 163 depictedand described in FIG. 1c and other Figures herein can providesignificant benefits of reducing the costs and complexities associatedwith the physical distribution of media or units such as a physical SIMcard or UICC, significant challenges and requirements have impeded thedevelopment and adoption of eUICC standards as of 2013, such as thoseproposed in ETSI TS 103 383 and related standards. One primary challengehas been the secure distribution of shared secret key K for operationwith a wireless network 102 that functions as a PLMN based on ETSIstandards, such as, but not limited to, 4G LTE networks and alsonetworks using 4G LTE Advanced. Shared secret key K for a regular SIM orUICC can comprise the key K contemplated for a SIM in 3GPP TS 33.401V12.9.0 and related standards, and shared secret key K can be used toderive session keys such as the cipher key (CK) and the integrity key(IK) as described in ETSI and 3GPP standards in order to a module 101such as a mobile phone, mobile station, or user equipment to access awireless network 102. Shared secret key K is normally recorded by boththe wireless network 102 and a UICC within a module 101 usingconventional technology.

FIG. 9b illustrates and embodiment of the present invention where amodule 101 can securely derive shared secret network key K 129 d using aderived module private key 112. As described below in FIG. 11, a network102 can also derive the same shared secret network key K 129 d, withoutrequiring the recording or distribution of shared secret network key K129 d in a eUICC profile 311. Note that (i) an eUICC profile 311 couldinclude an initial key K 325, which can comprise a shared secret key Kcontemplated in 3GPP TS 33.401 V12.9.0 and related standards, and (ii)the initial key K 325 could be used for an initial connection withwireless network 102 and the initial key K 325 could comprise a secretshared key 510 in FIG. 9b , but module 101 and a mobile network operator108 can use change from using the initial key K 325 in an firstconnection by module 101 to wireless network 102 to using the derivedshared secret network key K 129 d in a second and subsequent connectionby module 101 to wireless network 102. Using the steps depicted anddescribed in FIG. 9b , the derived shared secret network key K 129 ddoes not need to be transmitted to or from a module 101, therebyincreasing security. Further, the secure derivation of a shared secretnetwork key K 129 d by both a module 101 and a wireless network 102 canprovide compatibility with the the well established and incumbent PLMNinfrastructure that utilizes a pre-shared secret key K as currentlyrecorded in a SIM card or UICC with conventional technology. In thismanner, the use of an eUICC 163 by a module 101, where networkcredentials 314 could include or be associated with a derived moduleprivate key 112 as contemplated in the present invention, can remaincompatible with incumbent PLMN infrastructure while achieving thesecurity benefits of a module 101 and mobile operator network 108mutually deriving shared secret key K.

At a step 905, a module 101 with an eUICC 163 can read a received eUICCprofile 311. The received eUICC profile 311 could be recorded in anonvolatile memory such as, but not limited to, a flash memory 101 w. Amodule 101 could have previously received the received eUICC profile 311from an eUICC subscription manager 164 or another entity, including afirst wireless network 102. Or, the received eUICC profile 311 in a step905 could be loaded into module 101 by a manufacturer, distributor, orend user. At a profile activation 316 step, a module 101 using the eUICC163 can convert the received eUICC profile 311 into an activated eUICCprofile 313. As contemplated herein and throughout the presentinvention, an activated eUICC profile 313 can comprise a selected andenabled network access application state as illustrated in Figure D.1 ofETSI TS 103 383 v.2013-02 for the activated eUICC profile 313, and otherpossibilities exist as well. In exemplary embodiments, the step 316illustrated in FIG. 9b can be performed concurrently with a step 906below.

At a step 316, a module 101 can derive a module private key 112 and amodule public key 111. Module 101 could use a step 316 in order toderive the module PKI key pair 315, and a module 101 can use sub-stepsdepicted and described in connection with a step 316 in FIG. 3b , FIG.5b , and FIG. 7. A module 101 could also use a step 515 as depicted anddescribed in connection with FIG. 5b and FIG. 7 in order to derive themodule private key 112 and module public key 111. Module 101 could alsouse a set of cryptographic algorithms 141, a key pair generationalgorithm 141 e, a random number generator 128, and a set ofcryptographic parameters 126 to process or derive the module PKI keypair 315 at a step 316 in FIG. 9b . Module private key 112 and modulepublic key 111 could be processed and formatted according to either anRSA algorithm 153 or an ECC algorithm 154. The set of cryptographicparameters 126 could comprise a subset of cryptographic parameters 126 aas illustrated in FIG. 1i . A set of cryptographic parameters 126 usedin a step 316 in FIG. 9b for deriving the module PKI key pair 315 couldbe included in the received eUICC profile 311, as illustrated in FIG. 3b. Or, the set of cryptographic parameters 126 used in a step 316 in FIG.9b for deriving the module PKI key pair 315 could be included in theeUICC 163. In exemplary embodiments, module private key 112 and modulepublic key 111 may utilize an ECC algorithm 154 in order to provide ahigher level of security for a given key length. Module 101 could alsocalculate or process a key K module token 1103 at a step 316 in FIG. 9b, and the use and function of a key K module token 1103 is depicted anddescribed in connection with FIG. 11 below.

Note that the actual step of key derivation could be performedindependently of a profile activation step 316, such that a module 101derives the module PKI key pair 315 before a profile activation 316step, but upon completion of a profile activation step 316, an activatedeUICC profile 313 can preferably include or be associated with a derivedmodule private key 112 and derived module public key 111 in exemplaryembodiments. In other words, in order for a module 101 to use anactivated eUICC profile 311 (which could also comprise a selected and/orenabled profile) to connect with a wireless network 102, the activatedeUICC profile 311 can preferably be associated with a derived moduleprivate key 112 and derived module public key 111, where the derivedkeys could be processed by module 101 using a key pair generationalgorithm 141 e. Module 101 could use a set of cryptographic parameters126 recorded in a received eUICC profile 311 to derive the module PKIkey pair 315.

At a step 906, the derived module public key 111 and derived moduleprivate key 112, which could be associated with an activated eUICCprofile 313, resulting from a step 316 above in FIG. 9b , can berecorded in a nonvolatile memory, such as, but not limited to, a flashmemory 101 w. In this manner, PKI keys could be later read by module 101after a power off state or similar state where a RAM 101 e could beflushed. Although not illustrated in FIG. 9b , module 101 could alsosend the derived module public key 111 to the wireless network 102and/or a server 105, such that other entities besides module 101 can usethe derived module public key 111 for communication with module 101.Module 101 could use a step 517 to authenticate the derived modulepublic key 111 sent. After a successful sending of the derived modulepublic key 111 to the wireless network 102 and/or a server 105, module101 could optionally choose to no longer record derived module publickey 111 associated with a step 316 within nonvolatile memory of module101.

At a step 907, module 101 could connect with a wireless network 102. Theconnection procedure could include an LTE attachment procedure and aseries of steps for LTE authentication. A module 101 at a step 907 couldpromote from a detached state to an “radio resource connected” stateusing attachment and promotion procedures outlined in 3GPP specificationTS 24.301 v12, entitled “Non-Access-Stratum (NAS) protocol for EvolvedPacket System (EPS); Stage 3”. In a first exemplary embodiment, module101 could attach and authenticate with wireless network 102 in a step907 using the initial key K 325 recorded in a received eUICC profile311, where the initial key K 325 recorded in a received eUICC profile311 could comprise a first shared secret network K key (such as apre-shared secret key K described in 3GPP TS 33.401 V12.9.0). Module 101could also connect with and authenticate at a step 907 using the networkmodule identity 101 b recorded in a received eUICC profile 311. In theembodiment where an initial key K 325 comprises a first shared secretnetwork K key, module 101 could authenticate with the network 102 usingthe standard procedure or receiving a RAND 912 and processing andsending a response RES 913, as described at step 910 below for FIG. 9b .In an exemplary embodiment, a difference with authentication at a step907 from authentication at a step 910 is that authentication at a step907 could utilized the initial key K 325 recorded in a received eUICCprofile 311, while a later authentication at a step 910 can utilize adifferent key.

Although not illustrated in FIG. 9b , in another exemplary embodiment,module 101 can connect or complete an attachment procedure with wirelessnetwork 102 at a step 907 without a valid key K and network moduleidentity 110 b (or equivalently a “null” value for the key K and alsopossibly a “null” value for the network module identity 110 b), and thiscase would also be synonymous or equivalent to a module 101 attaching towireless network 102 without a valid SIM card or UICC. Note that bothstandards and deployed, operational wireless networks widely support theattachment of mobile phones without a valid SIM/UICC in order to supportemergency services. Or, in an exemplary alternative embodiment for astep 907 module 101 could connect with wireless network 102 using a keyK and network module identity 110 b that are not valid, and/or notauthenticated by a wireless network 102 or mobile network operator 108.This feature to support emergency calls/emergency services without avalid SIM card or UICC (or a valid or activated SIM/UICC withauthenticated network access credentials) is also mandated by regulatoryauthorities in different countries, such as the Federal CommunicationCommission (FCC) in the US.

Consequently for this alternative embodiment contemplated for a step 907in FIG. 9b but not illustrated in FIG. 9b , module 101 in a step 907illustrated in FIG. 9b could attach to a wireless network 102, where themodule 101 and the network 102 use a null or invalid values for key Kand/or network module identity 110 b at a step 907. Module 101 at a step907 could identify itself to wireless network 102 using either (i) amodule identity 110 recorded in a non-volatile memory or (ii) a networkmodule identity 110 b recorded in a received eUICC profile 311, andother possibilities for the identity of module 101 in a step 907 whenattaching to a wireless network 102 in an unauthenticated manner arepossible as well for a step 907 without departing from the scope of thepresent invention. In this alternative exemplary embodiment for a step907 (as one alternative to the step 907 depicted in FIG. 9b ), a module101 at a step 907 could complete an attachment procedure as outlined in3GPP specification TS 24.301 v12 without successfully completing anauthentication procedure using a shared secret network K key or aninitial key K 325 recorded in a received eUICC profile 311. In otherwords, the initial key K 325 for a step 907 does not have to be a valid,acceptable, and/or authenticated key K in order to use the stepsillustrated in FIG. 9b , although in some embodiments of the presentinvention the initial key K 325 can be a proper and authenticated key Kfor wireless network 102. The initial key K 325 used in a step 907 couldalso comprise a “null” value, and a “null” value for a key K iscontemplated in LTE and related wireless network standards (in order tosupport mandated emergency services for module network operator 108).

After connecting with wireless network 107 in a step 907, at a step 908,module 101 can send wireless network 102 a key K module token 1103,where a key K module token 1103 is depicted and described in connectionwith FIG. 11 below. The key K module token 1103 could be calculated orprocessed by module 101 in a step 316, although the key K module token1103 could be derived at other times or steps as well. A message orpacket sent from a module 101 to a server 105 associated with network102 in a step 908 can also include any of (i) a module identity 110,(ii) an encrypted module identity 110 a, and/or (iii) a network moduleidentity 110 b. A key K module token 1103 in a step 907 can comprise anyof (i) a derived module public key 111, where the derived module publickey 111 could be calculated in a step 906 above, (ii) a value processedby a module 101 for a Diffie Hellman key exchange, (iii) an algorithmtoken 190 for a shared secret algorithm 141 g, and/or (iv) a number orstring for a server 105 to use in a network key K derivation algorithm1101 in order for mobile network operator 108 to derive a secret sharednetwork key K 129 d. In an exemplary embodiment, module 101 can send thekey K module token 1103 to a server 105 such as, but not limited to, ahome subscriber server (HSS) using a step 522 at a step 908.

At a step 908, module 101 can send a message 208 with a key K moduletoken 1103 and authenticate data associated within the message, such as,but not limited to, a module identity 110. However, a separateauthentication of a message with key K module token 1103 using a step522 may optionally be omitted (thus depicting “908 And/Or 522” in FIG.9b ), for embodiments where module 101 uses a valid, authenticatedinitial key K 325 for a step 907 above. In the embodiment described inthe previous sentence, the steps for “And/Or 522” depicted in FIG. 9bmay be omitted, and thus the optional additional steps for 522 could beomitted with a step 908 for a FIG. 9b . In other words, when module 101uses a valid, authenticated initial key K 325 for a step 907, module 101can send key K module token 1103 in a step 908, and separate, additionalsteps for authenticating the key K module token 1103 may not berequired.

For other embodiments where module 101 connects with wireless network102 using an invalid, unauthenticated, or “null” initial key K 325 (suchas attaching in a manner for supporting emergency services but notregular subscriber service as described at Step 907), the steps for“And/Or 522” depicted in FIG. 9b can be included, in order for a mobilenetwork operator 108 to receive the key k module token 1103 in a securemanner. A module 101 sending the key K module token 1103 at a step 908and 522 in FIG. 9b could authenticate the message, or data associatedwith the message, in a step 908 using a step 522. In exemplaryembodiments, module 101 can attach to the wireless network 102 withoutsuccessfully completing authentication (such as the data-link andnetwork layer of the OSI stack not being authenticated), and send amessage 208 with key K module token 1103 in a step 908 with a step 522in FIG. 9b . The message 208 with key K module token 1102 could beauthenticated by a server 105 using a shared secret key 510, as depictedand described in connection with a step 517 of FIG. 5b . In this manner,module 101 could use an eUICC 163 with a received eUICC profile 311 thatcontains both an initial key K 325 and a shared secret key 510. Theinitial key K 325 may not be valid and/or authenticated (or couldcomprise a “null” value). Module 101 could attach to the wirelessnetwork 102 in a manner that supports emergency services. Module 101could send the key K module token 1103, and authenticate data associatedwith key K module token 1103 using a step 517 and the shared secret key510. Note that the same value or number could be used for both initialkey K 325 and shared secret key 510, although the values or numbers forthe two keys could also be different.

In another embodiment for FIG. 9b , a valid initial key K 325 can beutilized to authenticate a module 101 with a wireless network 102, whereinitial key K 325 comprises a pre-shared secret key K contemplated in3GPP TS 33.401 V12.9.0 and used in a step 907. A separate shared secretkey 510 can be used for authentication of application data such assending key K module token 1103 in a message 208 to a server 105 in astep 908 with a step 522, where the authentication could use (i) a step517 in step 522 and (ii) the shared secret key 510.

In exemplary embodiments, shared secret key 510 can be used by bothmodule 101 and a mobile network operator 108 in a step 908 with a step522 in order to verify and authenticate that a key K module token 1103(or related data such as a module identity 110 and/or a network moduleidentity 110 b) is properly authenticated at a step 908 using a step522, such that imposters or fraudulent submissions of key K module token1103 could be reasonably be prevented or excluded from using a step 908.As noted above, the use of a step 522 with a shared secret key 510 canbe optionally omitted, and the submission or sending of key K moduletoken 1103 could be secured by using a valid, authenticated initial keyK 325. Other possibilities for a module 101 to send a key K module token1103 to a server 105 associated with a mobile network operator 108 arepossible as well without departing from the scope of the presentinvention. Although not illustrated in FIG. 9b , after sending themodule key K token 1103 in a step 908, module 101 can detach from thewireless network 102. A subsequent re-attachment of module 101 at latersteps, such as step 909 below, could utilize a different key K than theinitial key K 325 used in a step 907, such as module 101 using thederived shared secret network key K 129 c in a second attachment andconnection procedure with the same wireless network 102.

At a step 909, a module 101 can derive a shared secret network key K 129d using the derived module private key 112 and a key derivation function141 f. The key derivation function 141 f could use a Diffie-Hellman keyexchange plus a set of cryptographic parameters 126 with the derivedmodule private key 112 in order to derive the shared secret key K 129 d.A key derivation function 141 f could also use alternative algorithms toDiffie-Hellman, such as, but not limited to, ECDH 159, ANSI-X.9.63 160,or similar key exchange protocols, such that a module 101 could use thederived module private key 112 from a step 316 in order to derive asecret shared network key K 129 d that is also shared with a wirelessnetwork 102. As contemplated herein, a step 909 can also comprise amodule key K derivation algorithm 909, and a module key K derivationalgorithm 909 is depicted and described below in FIG. 11. As depicted inFIG. 11, a step 909 comprising a module key K derivation algorithm 909could also use input of a network key K token 1102. A key K networktoken 1102 for a step 909 can comprise any of (i) a network public key165 b, (ii) a value from MNO 108 for a Diffie Hellman key exchange,(iii) a server public key 114, and/or (iv) a number or string for amodule 101 to use in a module key K derivation algorithm 909 in orderfor module 101 to derive a secret shared network key K 129 d. The key Knetwork token 1102 could be recorded in a received eUICC profile 311 orreceived by module 101 in a response 209 (not shown in FIG. 9b ) priorto step 909.

The output of a key derivation function 141 f in a step 909 (alsodepicted and described in connection with FIG. 11 below), using input atleast in part of (i) the module private key 112, (ii) a set ofcryptographic parameters 126 or 126 a, and (iii) the key K network token1102, could comprise a derived shared secret key 129 b that is differentthan shared secret network key K 129 d. As one example, the derivedshared secret key 129 b could have a different number of bits forderived shared secret key 129 b than the 128 bit long key length forshared secret key K compatible with ETSI standards for LTE networks in2013. In this exemplary case, a module 101 and a server 105 couldperform additional key processing 141 i to convert (A) a derived sharedsecret key 129 b output by a key derivation function 141 f in a step 909into (B) a mutually derived shared secret network key K 129 d.

The function of a shared secret network key K 129 d (in the form of akey “K”) is described in 3GPP TS 33.401 V12.9.0 and related standards,where shared secret key K is used to derive session keys such as asession cipher key (CK) and a session integrity key (IK) as described inETSI and 3GPP standards. Conventional technology for the use of a sharedsecret key K contemplates that shared secret key K comprises apre-shared secret key K recorded in (i) physical media such as a SIM or(ii) transferred electronic media such as an eUICC profile that would bedelivered to a module 101 with an eUICC 163. In exemplary embodiments ofthe present invention, the shared secret network key K 129 d isinternally derived by a module 101 using (i) the derived module privatekey 112 from a step 316 and (ii) a step 909, which could also comprisethe use of a module key K derivation algorithm 909. In this manner,module 101 can process or obtain the shared secret network key K 129 dwithout having the shared secret network key K 129 d pass through 3^(rd)parties (even in an encrypted electronic form), and thereby increase thesecurity, convenience, and flexibility of a system 100 and other systemscontemplated herein that utilize an eUICC 163 for a module 101 toconnect with a wireless network 102. As depicted and described inconnection with FIG. 11 below, concurrent with step 909 a wirelessnetwork 102 or a mobile network operator 108 could also derive the sameshared secret network key K 129 d using a network key K derivationalgorithm 1101. After mutual derivation of the same shared secretnetwork key K 129 d, module 101 and wireless network 102 can initiateregular communications on legacy and widely deployed wireless networks102. Establishing regular communications with the widely deployedwireless networks 102 includes the derivation of subsequent sessionkeys, after mutually obtaining a secure shared secret network key K 129d. Additional details for a step 909 are depicted and described inconnection with FIG. 11 below.

At step 910, after deriving shared secret network key K 129 d from astep 909, where shared secret network key K 129 d can also be derived bya mobile network operator 108, module 101 can use an eUICC 163 toreconnect with the wireless network 102 associated with the activatedeUICC profile 313. The activated eUICC profile 313 could be obtained ina step 316 above. Module 101 can send the network module identity 110 bto the wireless network 102, where the network module identity 110 b canbe recorded in the activated eUICC profile 313. Module 101 can use thederived shared secret network key K 129 d from a step 909 toauthenticate with wireless network 102 and/or mobile network operator109 in a step 910, where the derived shared secret network key K 129 dis different than the initial key K 325 used in a step 907 for a priorauthentication with wireless network 102.

This exemplary change in a key K used with wireless network 102 in FIG.9b illustrates several important differences with conventionaltechnology. First, the module 101 can use two different key Ks(comprising shared secret network key K 129 d and initial key K 325)with the same wireless network 102 without physically changing a SIM orUICC. Second, module 101 can use an eUICC 163 and steps in FIG. 9b withsame activated eUICC profile 313 and two different key Ks in order tocommunicate with wireless network 102. Using conventional technology asof 2013, a change for a key K is not contemplated for the same activatedeUICC profile 313 or a physical UICC. Further, conventional technologyfor an eUICC 163 does not contemplate that module 101 could derive a keyK (in the form of a shared secret network key K 129 d described herein)for use with an eUICC 163 that also can be mutually shared with MNO 108,without requiring the electronic distribution of key K, even in anencrypted or ciphered form.

Continuing at step 910, wireless network 102 and/or mobile operatornetwork 108 can use ETSI standards for PLMN networks, including LTE andLTE advanced networks and standards such as 3GPP TS 24.301v10+, in orderto authenticate, module 101 in a step 910. Upon reconnecting to wirelessnetwork 102, module 101 can receive a random number in the form of aRAND 912 from the wireless network 102. The algorithm for authenticationof module 101 with the wireless network 102 can comprise a form ofmessage digest authentication. Module 101 can input the received RAND912 and derived shared secret network key K 129 d into a set ofcryptographic algorithms 141 in order to obtain the response RES 913. Anexemplary calculation of a RES 913 using a key K and RAND 912 isdescribed in ETSI standard TR 131 900 v.10.0.0 and related documents.For exemplary embodiments that utilize FIG. 9b , the set ofcryptographic algorithms 141 for processing the response RES 913 canoperate within an eUICC 163 within module 101.

Continuing with a step 910, as specified in ETSI/3GPP standards, theRAND 912 and an internally recorded key K (which could be the derivedshared secret network key K 129 d for a step 910 in the presentinvention) can also be subsequently used with a set of cryptographicalgorithms 141 for the derivation of additional keys such as, but notlimited to, a cipher key (CK) and an integrity key (IK) (described in astep 911 below). Exemplary embodiments of the present invention canutilize the derived secret shared network key K 129 d instead of the keyK recorded in a SIM or UICC in order to perform the same operations toderive CK, IK and related keys, thereby maintaining secure compatibilitywith the significant installed infrastructure in PLMN networks forsupporting the use of key K in SIM/UICC cards for mobile phones in 2013and future networks using a key K. Upon conclusion of a step 910, module101 can send the response RES 913 to the wireless network 102 in orderto authenticate. Wireless network 102 or MNO 108 could calculate thesame RES 913 for the same RAND 912 using the shared secret network key K129 d mutually derived by wireless network 102 or MNO 108 (possiblyusing a network key K derivation algorithm 1101 illustrated in FIG. 11below), and thereby compare the RES 913 received from module 101 in astep 910 with the RES 913 internally calculated by MNO 108 using thesame set of cryptographic algorithms 141 as module 101. Module 101 couldbe authenticated with network 102 using the network module identity 110b in the case the two RES 913 values match for network 102 (i.e. thereceived RES 913 matches the internally calculated RES 913).

After the internal, secure derivation of a shared secret network key K129 d in a step 909 and the authentication of module 101 with a wirelessnetwork 102 in a step 910, at a step 911 module 101 can begin theprocess of generating additional keys in order to securely transmit andreceive application data with or through a wireless network 102. At step911, module 101 can derive a cipher key (CK) 914 by inputting into a setof cryptographic algorithms 141 both RAND 912 and the derived sharedsecret network key K 129 d. The RAND 912 and the derived shared secretnetwork key K 129 d could also be input into a key derivation function141 f within a set of cryptographic algorithms 141. An output of a keyderivation function 141 f in a step 911 can be CK 914, which couldcomprise a session key. The key derivation function 141 f in a step 911can utilize relevant algorithms for generating CK 914 specified in ETSI,3GPP, or similar standards for wireless networks, including WiMAX, suchthat module 101 can independently derive the same value for CK 914 atwireless network 102. CK 914 can subsequently be used with or forfurther deriving a symmetric key 127 with a symmetric cipheringalgorithm 141 b for encrypting data transmitted or sent to wirelessnetwork 102 by module 101 and decrypting data received. As one example,CK 914 could be used to derive a key Kupenc, where Kupenc is used tocipher data transmitted by a module 101 from a radio 101 z to a basestation 103.

Although not illustrated in FIG. 9b , both module 101 and a wirelessnetwork 102 could derive several additional secret keys using thederived and mutually shared secret network key K 129 d, and theadditional keys could comprise values for an integrity key (IK), Kasme,Knasenc, Knasint, Kenb, and/or Kupenc. In this manner, and asillustrated in FIG. 9b , the derivation of a module private key 112 canbe used for the derivation of a shared secret network key K 129 d, andshared secret network key K 129 d can be the basis for securecommunications between a module 101 and a mobile network 102, whilekeeping compatibility with existing and future standards for both mobilephones and deployed wireless networks 102.

FIG. 10

FIG. 10 is a simplified message flow diagram illustrating an exemplarysystem with exemplary data transferred between a module and a set ofservers, in accordance with exemplary embodiments. System 1000 maycomprise a module 101 and a set of servers 1010, where the set ofservers 1010 can include a plurality of servers 105 and a shared moduledatabase 105 k. FIG. 10 illustrates module 101 communicating with aserver 105, depicted as “server A” 105, although a module 101 couldcommunicate with other servers within a set of servers 1010 as well. Theset of servers 1010 could be associated with a mobile network operator108 and the set of servers 1010 could operate in a coordinated mannerthrough a network. In exemplary embodiments where a module 101 and awireless network 102 mutually derive a shared secret network key K 129d, then the set of servers 1010 illustrated in FIG. 10 could be (i)operated by a mobile network operator 108 and also be (ii) associatedwith a home subscriber server (HSS). Although not illustrated in FIG.10, module 101 could access a wireless network 102 and the IP Network107 illustrated in FIG. 1a in order to send data to and receive datafrom a server 105 within a set of servers 1010.

As illustrated in FIG. 10, a module 101 can communicate with a server105 using the steps and datagrams illustrated in other figures,including sending a message 208, receiving a response 209, using steps711, 607, 709, and/or 710 as depicted and described in connection withFIG. 7, and/or steps 316 and 516 from FIG. 5b . FIG. 10 illustrates someof many potential combinations of using these individual steps for anefficient and secure system. Other messages 208 may potentially flowbefore and/or after a “first message” 208. This terminology of “firstmessage”, “second response”, “second public key”, etc. contemplated invarious Figures herein may refer to the “first message”, “secondresponse”, “second public key”, “first set of parameters”, etc.described in the illustrated flows within each Figure. Other messages,responses, keys, and parameters may be communicated before and/or aftera depicted “first message”, “second response”, “second public key”, etc.The depicted elements for Figures herein can comprise subsets of allmessages, responses, keys, etc. that may also flow, and the subsets candepict various embodiments contemplated herein.

In exemplary embodiments, FIG. 10 illustrates the establishment ofsecure communication between a module 101 and a set of servers 1010 forthe case where (i) an existing, authenticated module public key 111 isavailable from external servers, and (ii) the existing module public key111 can be used to send parameters for the module 101 to derive a newmodule PKI key pair. As one example, the optional step 711, before astep 1001, could be used to authoritatively record a module public key111 with external servers such as those external servers shown in a step1002 in FIG. 10. The optional step 711 could include module 101recording an initial module public key 111 b that is not derived bymodule 101, but rather loaded into module 101 by a manufacturer,distributor, or end user, and the initial module public key 111 b couldbe used by a module 101 and a server 105 to authenticate and/orencrypted subsequent communications related to a derived module publickey 111. After the derived module public key 111 has been successfullyauthenticated or recorded by a server 105 or a set of servers 1010, thena server 105 or set of servers 1010 can begin using the derived modulepublic key 111 for subsequent authentication and/or encryption forcommunication with a module 101, instead of continuing to use theinitial module public key 111 b.

In exemplary embodiments, (i) an initial module private key 112 b couldbe recorded in a nonvolatile memory for module 101 prior to a step 1001illustrated in FIG. 10, possibly using a step 711, and (ii) a set ofservers 1010 could use an initial module public key 111 b associatedwith the initial module private key 112 b in order to establish initialsecure communications with a module 101 such as using a step 1004 totransfer a symmetric key 127 for ciphering a new, second set ofcryptographic parameters 126, and then (iii) a module 101 could receivethe ciphered second set of cryptographic parameters 126 with subsequentexemplary steps illustrated in FIG. 10 to derive additional module PKIkeys, and (iv) establish secure communication with a set of servers 1010using the second set of cryptographic parameters 126 and the derivedmodule PKI keys.

In an embodiment where module 101 records a “base” certificate 122 (witha corresponding “base” module private key 112) which are included with amodule 101 by a manufacturer. A mobile network operator 108 can use the“base” certificate 122 to communicate further sets of cryptographicparameters 126 for deriving additional module PKI keys. The initial setof cryptographic parameters 126 and an initial module public key 111 bcould be recorded in the “base” certificate 122, and the exemplary useof cryptographic parameters 126 in a certificate 122 is illustrated inFIG. 1j . The initial set of cryptographic parameters 126 could also bereferred to as a “base” set of cryptographic parameters 126. The modulemanufacturer, module provider 109, mobile network operator 108, and/orwireless network 102 could agree on a common initial set ofcryptographic parameters 126 (such as, but not limited to, agreeing thatinitial module PKI keys could be based on RSA and a length of 2048bits). By agreeing to a common initial set of cryptographic parameters126, different modules 101 from different manufactures could initiallyinteroperate with different module providers 109 and/or M2M serviceproviders 108 using the initial, “base” parameters. The entities such asthe mobile network operator 108 and/or wireless network 102 could usethe “base” or initial set of cryptographic parameters 126 with the“base” certificate 122 to establish secure communications wheresubsequent, different sets of cryptographic parameters 126 for derivingnew module PKI keys could be securely communicated and/or negotiated.

A first optional step 711 can comprise series of sub-steps comprising astep 702, 703, and 704 as depicted and described in connection with FIG.7. Note that the use of an optional step 711 can be omitted, and otherpreliminary steps and communications could take place between a module101 and a set of servers 1010 before a module 101 performs a step 1001.In another exemplary embodiment, a module 101 may have used the datafrom a step 711 in communicating with a different set of servers (notshown) than the set of servers 1010 illustrated in FIG. 10, and the setof servers 1010 illustrated in FIG. 10 may not have access to data fromthe different set of servers (not shown). The sub-steps for a step 711can include a module distribution and installation step 702. Ascontemplated herein, the term “installation” can also refer to a subsetof steps conducted by an end user or technician for activation, suchthat a module 101 performs initial steps to become operable uponcompletion of the “installation” or activation. In one embodiment,module 101 can comprise a mobile phone such as a smartphone and in thiscase “installation” in a step 702 within a step 711 can comprise an enduser powers up the mobile phone or smartphone for an initial time. Also,in an exemplary embodiment where the optional step 711 is omitted, nodata flows between a module 101 and a set of servers 1010 until thefirst message 208 at a step 1001 illustrated in FIG. 10.

After a sub-step 702 in an optional step 711 in FIG. 10, the nextsub-step can comprise a sub-step 703 as depicted and described in FIG.7. In this sub-step 703, a module 101 can record in nonvolatile memory ashared secret key 129, a first set of cryptographic parameters 126, anda server address 207. As discussed above, a server address 207 couldcomprise a server name 206 in a step 703, which could subsequently beresolved via DNS into an IP address 106 for a server 106 (or a pluralityof IP addresses 106 for a set of servers 1010). The use of a sharedsecret key 129 for a step 703 is depicted and described in connectionwith FIG. 7. Note that for the purposes of the present inventioncontemplated herein, a shared secret key can comprise any of apre-shared secret key 129 a, a derived shared secret key 129 b, or ashared secret key 129 c processed using a shared secret algorithm 141 g.In addition, and as described in a step 703 in FIG. 7, in an exemplaryembodiment a shared secret key 129 can comprise the combination of aninitial module private key 112 b and an initial module public key 111 b,and the use of the two initial keys can comprises a shared secret key129 for a sub-step 703 in an optional step 711 in FIG. 10. Also asdescribed in FIG. 7, a sub-step 703 could take place concurrently with asub-step 702 or possibly concurrently with a sub-step 701, such asduring manufacturing or before a module 101 leaves a manufacturingfacility.

After a sub-step 703 in an optional step 711 in FIG. 10, the nextsub-step can comprise a sub-step 704 as depicted and described in FIG.7. In this sub-step 704, a module 101 can conduct a 2-way authenticationwith a set of servers 105 using the shared secret key 129. Upon mutualauthentication, a module 101 can record a second set of cryptographicparameters 126. The second set of cryptographic parameters 126 couldcomprise a subset of cryptographic parameters 126 a as illustrated inFIG. 1i . Or, the second set of cryptographic parameters 126 could beequal to the first set of cryptographic parameters 126 from a sub-step703. The details for a module 101 to perform a mutual authenticationusing shared secret key 129 and receiving a second set of cryptographicparameters 126 are depicted and described in connection with step 704 inFIG. 7. In this manner, by using an optional step 711 before a step1001, module 101 and a server 105 can be mutually authenticated before astep 1001.

At a step 1001 of FIG. 10, a module 101 can send a first message 208,where the first message 208 can include a module identity 110 and afirst public key identity 111 a. As received by a server 105 within aset of servers 1010, the first message 208 in a step 1001 could includea first source IP:port number equal to IP address 210 and source portnumber 605. As sent by module 101, the first message 208 in a step 1001could include a first source IP:port number equal to IP:port number 204.Although firewall 104 is illustrated in FIG. 10 as operating as a “NATFirewall”, a firewall 104 in a system 1000 could also operate as asymmetric firewall without NAT functionality and in this case the firstmessage 208 in a step 1001 as received by a set of servers 1010 couldinclude a source IP:port number equal to IP:port 204. Note that moduleidentity 110 in a step 1001 could be in the form of an encrypted moduleidentity 110 a, and a module 101 could use a secret ciphering algorithm141 h to convert the module identity 110 into an encrypted moduleidentity 110 a using a secret ciphering algorithm ciphering 162. If afirst message 208 in a step 1001 includes an encrypted module identity110 a, then the first message 208 in a step 1001 could also optionallyinclude an algorithm token 190. In an exemplary embodiment, within asystem 1000 where a module 101 optionally used a step 711 before a step1001, many messages could have previously flowed between module 101 anda set of servers 1010 before the first message 208 in a step 1001.

At a step 1002, a set of servers 1010 can use the module identity 110and/or module public key identity 111 a in order to query other serverssuch as a server associated with a certificate authority 118, a moduleprovider 109, or an eUICC subscription manager 164 in order to receive afirst module public key 111 or certificate 122 for the module identity110 and/or module public key identity 111 a. Note than in an exemplarypreferred embodiment, module 101 may use a plurality of module publickeys 111 and/or certificates within a relatively short period of time(such as, but not limited to, using more than one module public key 111within the same month). Different exemplary multiple module public keys111 used concurrently by a module 101 are described elsewhere herein. Inthis embodiment where module 101 uses multiple module public keys 111and/or certificates 122 in a relatively short period of time, the modulepublic key identity 111 a can serve as a useful index or pointer to aparticular module public key 111 that a module 101 prefers to utilizewith a set of servers 1010.

In an exemplary embodiment for a step 1002, a module 101 could alsooptionally send the relevant module public key 111 in a step 1001, but astep 1002 may be conducted by a set of servers 1010 in order to verify,query, or obtain the module public key 111 and/or certificate 122 fromother servers. For example, if a module 101 had not previously conductedthe optional step 711 in a FIG. 10, and no authoritative information isavailable about a module 101 to a set of servers 1010 (such as nothaving a shared secret key 129 available in the case where a step 711was omitted), then a set of servers 1010 may preferably use theinformation in a message 208 received in a step 1001 to query the otherservers illustrated in FIG. 10 (i.e. servers for 118, 109, or 164) in astep 1002 in order to obtain verification of the module identity 110and/or a module public key 111 received in a step 1001, includingobtaining a certificate 122.

In an embodiment where module 101 sends the module public key 111 in astep 1001, the module 101 preferably includes the module identity 111 a.Module 101 could also send a certificate 122 in a step 1001, but the setof servers 1010 can independently query other servers for thecertificate 122 or module public key 111 (query using the moduleidentity 110 or module public key identity 111 a from a step 1001). Thequery to other servers can be used to independently and separatelyreceive the module public key 111, in order for a set of servers 1010verify or compare that a received module public key 111, which couldcomprise an initial module public key 111 b loaded by a manufacturer,matches the module public key 111, possibly in the form of a certificate122, received from an independent and authoritative third party.

In an exemplary embodiments for a step 1002, a set of servers 1010 canalso query other servers such as a certificate authority 118, an mobilenetwork operator 108, an eUICC subscription manager 164, and/or a sharedmodule database 105 k in order to receive a first set of cryptographicparameters 126. A set of cryptographic parameters 126 is depicted anddescribed in connection with FIG. 1d , FIG. 1i , and FIG. 7, andelsewhere herein. The first set of cryptographic parameters 126 in astep 1002 could comprise the parameters 126 a within a certificate 122illustrated in a FIG. 1j . Within a step 1002 a set of servers 1010could receive a certificate 122 for a module 101 with the moduleidentity 110 from another server illustrated, where the certificate 122could include (i) the module public key 111, (ii) the module identity110, (iii) a module public key identity 111 a, and (iv) a signature 123from a certificate authority 118. Within a step 1002, a set of servers1010 could also verify a chain of signatures 123 within a certificate122 for a module 101. A set of servers 1010 could use a differentIP:port number than IP:port 207 to query external servers forinformation pertaining to a first module public key 111 and a first setof cryptographic parameters 126.

After a step 1002, at a step 1003 a set of servers 1010 could send amodule 101 a response 209. In an exemplary embodiment, the response 209can include a server digital signature 506, where module 101 can verifythe server digital signature 506 using the server public key 114. Inthis manner, module 101 can authenticate the server identity 206 andverify or confirm that the module 101 is communicating with a correctserver 105 (such as not receiving data from an imposter or a “man in themiddle” attack). The server 105 preferably sends the response 209 to thesource IP:port received in the first message 208 in step 1001. Note thatfor embodiments which utilize an eUICC 163 and the mutual derivation ofa secret shared network key K 129 d, then the server digital signature506 in a step 1003 could comprise a an authorization number “AUTN”associated with a RAND 912 depicted and described in connection withFIG. 9b . Server digital signature 506 could be optionally omitted in astep 1003 in embodiments where module 101 performs a step 711 before astep 1001, as illustrated in FIG. 10.

At a step 1004, a symmetric key 127 could be sent either from (i) a setof servers 1010 or (ii) a module 101 using an asymmetric cipheringalgorithm 141 a and either (i) the module public key 111 from a step1002 or (ii) the server public key 114, respectively. Values for usingan asymmetric ciphering algorithm 141 a could be specified from thefirst set of cryptographic parameters 126 at either a step 1002 or astep 1001. The set of servers 1010 could record the symmetric key 127from a step 1004 in a shared module database 105 k, such that differentservers 105 within a set of servers 1010 could use the symmetric key 127in communication with the module 101. An exemplary datagram 601 a thatincludes a symmetric key 127 within an encrypted data that usesasymmetric ciphering 141 a is illustrated in element 701 a of FIG. 7 ofU.S. patent application Ser. No. 14/039,401, filed Sep. 27, 2013 in thename of John Nix, which is hereby incorporated by reference in itsentirety. Note that for embodiments which utilize an eUICC 163 and themutual derivation of a secret shared network key K 129 d, then the useof asymmetric ciphering for communicating a symmetric key 127 in a step1004 may be optionally omitted, and each side (i.e. module 101 and a setof servers 1010 associated with a wireless network 102) could mutuallyderive the secret shared network key K 129 d instead of sending orreceiving a symmetric key 127 across a network.

At a step 1005, a set of servers 1010 could record that the use of asecond set of cryptographic parameters 126 for a module 101 may bepreferred. A step 1005 could take place earlier in the sequence ofmessage flow illustrated in FIG. 10, such as even before a step 1001. Anexample of the case in the previous sentence could be where a set ofservers 1010 needs to initially communicate with a module 101 using a“base” set of cryptographic parameters 126 with an initial module publickey 111 b, and after initial secure communication is established, thenthe set of servers 1010 could use a different set of cryptographicparameters 126 and request that the module 101 derive a new set ofmodule PKI keys using the different set of cryptographic parameters 126.In another embodiment, a relatively long period of time such as severalyears could transpire between a step 1004 and a step 1005 (with manyadditional messages not shown in a FIG. 10 communicated between a module101 and a server 105 in the time between a step 1004 and a step 1005).Over time and for various commercial and security needs, a preferred setof cryptographic parameters 126 can change, such as the use of longerkey lengths, or adoption of new asymmetric ciphering algorithms 141 a,including the use of new ECC curves. Consequently, in a step 1005, a setof servers 1010 could record a second set of cryptographic parameters126.

At a step 607 in FIG. 10, a module 101 could receive the second set ofcryptographic parameters 126 from the set of servers 1010. Although notillustrated in FIG. 10, a module 101 preferably sends a message 208 withthe module identity 110 to the set of servers 1010 after a step 1004 andbefore a step 607, with the result that firewall 104 ports will betemporarily opened and bound so that a server 105 in a set of servers1010 can send a response 209 back to the module 101. A step 607 with aresponse 209 is also depicted and described in connection with FIG. 6and FIG. 7. The terminology depicted for a response 209 at a step 607 of“209:504: . . . ” can refer from left to right as the structure for anexemplary response 209 illustrated in FIG. 6, where the response 209 caninclude server encrypted data 504, and the server encrypted data caninclude either (i) a second set of cryptographic parameters 126, or (ii)a eUICC profile 311. The second set of cryptographic parameters 126 in aresponse 209 can be included in a server encrypted data 504. In thismanner, the second set of cryptographic parameters 126 can remainconfidential and reasonably securely received by a module 101.

Note that the symmetric key 127, or session key, used to cipher thesecond set of cryptographic parameters 126 in a step 607 in FIG. 10could be communicated in a step 1004 above or a similar step using anasymmetric ciphering algorithm 141 a. In an exemplary embodiment, thesecond set of cryptographic parameters 126 in a step 607 in FIG. 10 maynot be encrypted and can also be sent as plaintext within a response209. In addition, the set of cryptographic parameters 126 in a step 607in FIG. 10 may be communicated in the form of a reference to a set ofcryptographic parameters 126 from the use of a set of cryptographicparameters token 126 c (and thus a name or identity of the set ofparameters 126 could be communicated instead of the full set ofcryptographic parameters 126). As contemplated herein, for any referenceto a set of cryptographic parameters 126 in FIG. 5b through FIG. 10, theuse of a set of cryptographic parameters token 126 c can be substitutedfor communicating a complete list of cryptographic parameters 126.

For embodiments where a module 101 uses an eUICC 163, a step 607illustrated in FIG. 10 could comprise module 101 receiving a receivedeUICC profile 311, which could also contain the second set ofcryptographic parameters 126. The inclusion of a received eUICC profile311 within a step 607 is also described for a step 607 in connectionwith FIG. 7. The received eUICC profile 311 could be included in aserver encrypted data 504, and the server encrypted data 504 could beciphered using a symmetric key 127 communicated in a step 1004. Or, theserver encrypted data 504 for a step 607 could be ciphered with adifferent symmetric key 127. The set of servers 1010 could obtain thereceived eUICC profile 311 from an eUICC subscription manager 164. Notethat a response 209 which includes a received eUICC profile 311 in astep 607 in FIG. 10 can utilize a source IP:port number 207 that isdifferent than a source IP:port number 207 in a response 209 in a step1003 above. In other words, as contemplated herein, the numeric valuefor an IP:port number 207 can change over time, but a pair of datagramscomprising a message 208 and an resulting response 209 can utilize thesame numeric value for an IP:port number 207.

At step 1006, a module 101 can send a subset of cryptographic parameters126 a, where the subset of cryptographic parameters 126 a can be asubset of the cryptographic parameters 126 received in a step 607. FIG.1i above illustrates an exemplary “handshake” or “negotiation” of a setof cryptographic parameters 126 between a server 105 and a module 101,and the data illustrated in FIG. 1i can apply to step 607 and step 1006in FIG. 10. Alternatively, the subset of cryptographic parameters 126 acould be omitted, and the set of cryptographic parameters 126 receivedby a module 101 in a step 607 could be specific enough that module 101does not need to select any options within the set of cryptographicparameters 126. In this case (where a step 1006 is optionally omitted),then a set of cryptographic parameters 126 in a step 607 could alsocomprise a subset of cryptographic parameters 126 a. In addition, theterminology depicted for a message 208 at a step 1006 of “208:110:403:with Subset 2nd Parameters 126 a” can refer from left to right as thestructure for an exemplary message 208 illustrated in FIG. 6, with amessage 208 containing a module identity 110 and a module encrypted data403, where “Subset 2nd Parameters 126 a” would be inside the moduleencrypted data 403.

Other data such as, but not limited to, source and destination IP:ports,a datagram packet header, and a checksum 603, plus optional channelcoding 406 could be included in a packet comprising a message 208 sentby module 101 at a step 1006 and other messages 208 illustrated in FIG.10. In an exemplary embodiment, the second subset of cryptographicparameters 126 a in a step 1006 in FIG. 10 may not be encrypted and canalso be sent as plaintext within a message 208. In general, where theuse of encrypted data in the form of a module encrypted data 403 orserver encrypted data 504 is illustrated in various Figures, includingFIG. 10, the present invention contemplates that encryption may also beoptionally omitted at the network layer and application layer and thedata can be communicated as plaintext in these layers (but encryptioncould be performed at the data-link layer, such as ciphering data over apublic wireless network 102). In an exemplary embodiment, module 101 canalso use forward error correction at a step 1006, or other stepsillustrated in FIG. 10 and related Figures where a module 101 sendsdata, such that a module 101 can send multiple copies of the same orequivalent datagram comprising a message 208 in order to increase theprobability that a server 105 or set of servers 1010 receives at leastone datagram comprising a message 208.

At a step 709 or a step 316 in FIG. 10, a module 101 can derive a newmodule public key 111 and a new module private key 112 using theparameters 126 negotiated or communicated between steps 607 and 1006. Astep 316 in FIG. 10 can include the use of an eUICC 163 for module 101,and a step 709 for FIG. 10 can include embodiments that do not depend onthe presence of an eUICC 163. The use of a step 709 is depicted anddescribed in connection with FIG. 7 above. Although the text for a step709 is depicted in FIG. 7 as “Module Derives 2nd Public Key 111 and 2ndPrivate Key 112 Pair, using 3rd Parameters 126”, in the context of FIG.10, the second key pair would be derived using the second set ofparameters 126 negotiated between steps 607 and 1006. In other words,the set of cryptographic parameters 126 used for a step 709 either inFIG. 7 or FIG. 10 can comprise the most recent set of cryptographicparameters communicated between a module 101 and a server 105. Themodule 101 PKI key pair resulting from a step 709 could comprise eithera module PKI key pair that uses either ECC algorithms 154 or RSAalgorithm 153. The key lengths and other parameters for a module 101 toprocess the module 101 PKI key pairs can be specified in the set ofcryptographic parameters 126 negotiated or communicated between steps607 and 1006.

At a step 709 in FIG. 10, the module 101 could use a set of key pairgeneration algorithms 141 e in a set of cryptographic algorithms 141 ain order to derive a second module private key 112 and a correspondingsecond module public key 111. The first module public key 111 can bepreviously used in a step 1002 and the first module private key 112 canbe previously used in a step 1004, although these first module 101 PKIkeys could also be used in communication that is not shown (i) after astep 1004 within FIG. 10 (such as the case where an extended period oftime transpired between step 1004 and step 709 in FIG. 10), and (ii)before a step 709 in FIG. 10. A module 101 could determine that newmodule 101 PKI keys are preferred or desirable for many reasons beforeor upon a step 709, including the receipt of new cryptographicparameters 126 in a step 607, the transfer of ownership or control ofmodule 101, the opening of an enclosure for a module 101 where the firstmodule private key 112 could be compromised, the receipt of a moduleinstruction 502 of “derive new keys”, and other reasons exist as well.

In the embodiments where either (i) an eUICC 163 is used by a module 101to record a derived module private key 112 and a derived module publickey 111, and/or (ii) module 101 and a wireless network 102 derive ashared secret key network key K 129 d, a step 316 in FIG. 10 couldcomprise the activation of a received eUICC profile 311, or similarlythe derivation of a module PKI key pair 315 for an activated eUICCprofile 313. The received eUICC profile 311 activated in a step 316 inFIG. 10 could be received by a module 101 in a step 607 above. At a step316 in FIG. 10, a module 101 could use a step 316 as depicted anddescribed in connection with a step 316 in FIG. 9b , FIG. 7, and FIG. 5b, and FIG. 3b . A module 101 could derive a new module private key 112and a new module public key 111 at a step 316 using (i) a set ofcryptographic algorithms 141, (ii) a set of cryptographic parameters 126or 126 a (and the set of cryptographic parameters 126 a could berecorded in a receiving eUICC profile 311 being activated in a step 316in FIG. 10), (iii) a key pair generation algorithm 141 e, and (iv) arandom number generator 128. The derived module private key 112 andmodule public key 111 could be recorded in memory at a step 316 forfurther processing in additional subsequent steps.

At a step 710 within FIG. 10, the module 101 can send a message 208 thatincludes the second module public key 111 derived at a step 709. Theterminology depicted for a message 208 at a step 710 of “208:110:403:2nd 111 a: 2nd 111” can refer from left to right as the structure for anexemplary message 208 illustrated in FIG. 6, with a message 208containing a module identity 110 and a module encrypted data 403, wherethe second module public key identity 111 a and second module public key111 could be inside the module encrypted data 403. In exemplaryembodiments, the module public key identity 111 a could optionally beomitted in a step 710 and the data within a message 208 could alsooptionally be sent as plaintext. In the embodiment where module 101sends a message 208 with the derived module public key 111 at a step 710and also encrypts the module public key 111 in a module encrypted data403, the symmetric key 127 used with a symmetric ciphering algorithm 141b could be communicated between module 101 and a set of servers 1010 ina prior communication, such as, but not limited to, the transfers of asymmetric key 127 in a step 1004. Also, although a single instance ofthe transfer of a symmetric key 127 in a step 1004 is illustrated inFIG. 10, over time multiple different symmetric keys 127 could becommunicated between a module 101 and a set of servers 1010 using a step1004 or similar secure transfer, before module 101 sends the derived,second module public key 111 in a step 710. In an exemplary embodiment,module 101 could use the most recent symmetric key 127 communicatedbetween module 101 and a set of servers 1010 in order to send a moduleencrypted data 403 with the derived, second module public key 111 at astep 710 in FIG. 10.

As illustrated in FIG. 10, a step 516 from FIG. 5b could also beutilized in FIG. 10 for a module 101 to send the second module publickey 111 or a key K module token 1103. In the embodiments where either(i) an eUICC 163 is used by a module 101 to record a derived moduleprivate key 112 and a derived module public key 111, or (ii) module 101and a wireless network 102 derive a shared secret key network key K 129d, a step 516 in FIG. 10 could comprise the module 101 sending a key Kmodule token 1103 within a message 208, where a key K module token 1103is depicted and described in connection with FIG. 11 below. A key Kmodule token 1103 could comprise the module public key 111 or couldcomprise other data for a wireless network 102 or MNO 108 to derive asecret shared network key K 129 d, using a network key K derivationalgorithm 1101 illustrated in FIG. 11.

In an exemplary embodiment, the derived, second module public key 111 ina step 709 of FIG. 10 could be sent outside the module encrypted data403 (such as plaintext) in a message 208 at a step 710, but moduleencrypted data 403 could be used with the message 208 for either (i)sending other potentially sensitive data along with the module publickey 111, such as, but not limited to, cryptographic parameters 126, or(ii) sending encrypted data using a symmetric key 127 such that a server105 or set of servers 1010 could verify that module 101 has access tothe symmetric key 127. Thus, the module encrypted data 403 in a message208 at a step 710 could be used to authenticate or verify that themodule public key 111 received in a message 208 properly belongs to amodule 101 with a module identity 110. In other words, the properprocessing of a module encrypted data 403 using a symmetric key 127 in amessage 208 at step 710 can prevent imposters or the fraudulentsubmission of a module public key 111 in a step 710.

Note that a step 710 as depicted and described in connection with FIG. 7includes the authentication of the derived, second module public key111, and a step 710 in FIG. 10 can also include the steps for a module101 to authoritatively send the derived, second module public key 111.For the embodiment where a server 105 uses a first module public key 111(possibly from a step 1002) to authenticate a derived, second modulepublic key 111 from a step 710, a server 105 that did not previouslyhave or record the first module public key 111 could use the moduleidentity 110 query other servers such as, but not limited to, a sharedmodule database 105 k, a certificate authority 118, or a mobile networkoperator 108 in order to obtain the first module public key 111 toauthenticate or verify the derived, second module public key 112received in a step 710.

The module identity 110 in a message 208 at a step 710 could be sent asan encrypted module identity 110 a, such that the module identity 110 isciphered or obfuscated. A module 101 could use a secret cipheringalgorithm ciphering 162 or other techniques such as a symmetricciphering algorithm 141 b in order to send the module identity 110 as anencrypted module identity 110 a. For and embodiment where module 101sends module identity 110 as an encrypted module identity 110 a wherethe encrypted module identity 110 a is ciphered using a symmetricciphering algorithm 141 b, a key such as a symmetric key 127 to encryptthe module identity 110 into an encrypted module identity 110 a could becommunicated at a prior step such as, but not limited to, a step 1004.In general, the present invention contemplates that an encrypted moduleidentity 110 a can be used in place of a module identity 110 in Figureswhere a module 101 is depicted and described as sending a moduleidentity 110.

The message 208 in a step 710 in FIG. 10, as received by a server 105can include a second source IP:port 210:605 that is different than thefirst source IP:port in a message 208 at a step 1001. The source IP:port210:605 could change reasons including, but not limited to, (i) firewall104 operating as a NAT firewall changes port bindings over time, (ii)the packets from module 101 to a set of servers 1010 route throughdifferent firewalls 104 over time, such as module 101 connecting todifferent networks 102 over time and a first network 102 is used bymodule 101 in a step 1001 and a second network 102 is used by a module101 in a step 710, and (iii) a module 101 could use a different sourceIP:port number 204 for a step 1001 and a step 710. The present inventioncontemplates that module 101 can use a different source IP:port forsending the various messages 208 depicted and described in variousFigures throughout the present invention (an correspondingly use thedifferent IP:port numbers to receive various responses 209 to themessage 208). The IP address 202 for a module 101 to use in an IP:portnumber 204 can change over time, such as if a module 101 uses differentnetworks 102 for sending messages 208 over time.

Although a message 208 at a step 710 in a FIG. 10 depicts a module 101sending the message 208 at a step 710 to a server 105 within a set ofservers 1010, a module 101 can send the message 208 at a step 710 to adifferent server than the server 105 illustrated in FIG. 10. In otherwords, according to exemplary embodiments, a module 101 can send any ofthe messages 208 depicted in various Figures to different servers 105over time, and the different servers 105 could communicate with otherservers 105 such that the multiple servers 105 operate in a coordinatedmanner using a network, and the multiple servers 105 could function as aset of servers 1010. As one example, the first message 208 in a step1001 could be sent to a first server 105, and the message 208 in a step710 could be sent to a second server 105. The use of different servers105 for a module 101 to send a message 208 could be identified by theuse of a different destination IP address within the message 208. Otherpossibilities exist as well for the use of multiple servers 105 in a setof servers 1010 without departing from the scope of the presentinvention.

At a step 1007, after completing of a step 710 in FIG. 10, a server 105or set of servers 1010 can record the new, authenticated second modulepublic key 111 with other servers illustrated. The data recorded by aserver 105 could include the module identity 110, a module public keyidentity 111 a, and a second module public key 111, plus an additional,optional subset of cryptographic parameters 126 a. The data recorded bya server 105 in a step 1007 could be in the form of a certificate 122.In this manner, the second module public key 111, possibly in the formof a certificate 122, can be made available to other servers 105 withina set of servers 1010 over time, and the other servers 105 could alsouse the subset of cryptographic parameters 126 a in order to securelycommunicate with a module 101. The use of a step 1007 could also resultin the second module public key 111 (with associated data such as acertificate 122, module identity 110, module public key identity 111 a,and a subset of cryptographic parameters 126 a for the second modulepublic key 111) being made available to other servers outside of the setof servers 1010, such as a server 105 belonging to a different MNO 108than a MNO 108 operating the set of servers 1010. Note that a step 1007could be optionally omitted, and a set of servers 1010 could record thesecond module public key 111 internally, and the second module publickey 111 could also be kept confidential and not shared with otherservers, thereby further increasing the security of a system 100 andother systems illustrated herein.

At a step 1008, after sending a message 208 (which could comprise themessage 208 in step 710 in FIG. 10, or could comprise a differentmessage 208 after a step 710 where the different message 208 after astep 710 is not illustrated in FIG. 10), module 101 could receive aresponse 209 that includes a second symmetric key 127 that is cipheredusing an asymmetric ciphering algorithm 141 a. The response 209 in astep 1008 could include a server encrypted data 504. The serverencrypted data 504 in a response 209 for a step 1008 that includes asecond symmetric key 127 could be ciphered using the derived,authenticated, second module public key 111 sent by module 101 in a step710. At a step 1008 the module 101 can decipher the server encrypteddata 504 containing the second symmetric key 127 using the derived,second module private key 112 and an asymmetric ciphering algorithm 141a. A module 101 can use the second subset of cryptographic parameters126 a from a step 1006 with an asymmetric ciphering algorithm 141 a inorder to (i) decrypt the server encrypted data 504 received in a step1008, and (ii) read the plaintext second symmetric key 127. An exemplarydatagram 601 a that includes a symmetric key 127 within an encrypteddata that uses asymmetric ciphering 141 a is illustrated in element 701a of FIG. 7 of U.S. patent application Ser. No. 14/039,401, filed Sep.27, 2013 in the name of John Nix, which is hereby incorporated byreference in its entirety. Note that in a step 1008, although the set ofservers 105 are illustrated as sending the second symmetric key 127 in aresponse 209, the module 101 could alternatively send the secondsymmetric key 127 in a message 208, where the second symmetric key 127could be within a module encrypted data 403 that is ciphered with anasymmetric ciphering algorithm 141 a and the server public key 114 andalso uses the second subset of cryptographic parameters 126 from a step1006.

In another embodiment, a module 101 and a set of servers 1010 couldconduct a key exchange such as Diffie Hellman, ANSI-X.9.63 160, or ECDH159 in a step 1008 instead of transmitting and/or receiving the fullsecond symmetric key 127. The key exchange could involve sending numbersor values, possibly including a random number 128 a or a RAND 912,instead of the actual symmetric key 127, and a key derivation function141 f could be used with the numbers or values sent to derive a sharedsecret key 129 b. The shared secret key 129 b could comprise the secondsymmetric key 127 for a step 1008 and a step 1009. As contemplatedherein, in Figures such as FIG. 10 where a symmetric key 127 isillustrated as communicated between two nodes, instead of a symmetrickey 127 being directly communicated, values for a key derivationfunction 141 f could communicated as a proxy for the symmetric keys 127illustrated, and the nodes can use the values with a key derivationfunction 141 f to determine the symmetric key 127. In other words, invarious figures illustrated herein, where a symmetric key 127 isillustrated as communicated, values to determine a shared symmetric key127 could be communicated instead, such as values input into a keyderivation function 141 f in order to output a derived shared secret key129 b that could comprise a symmetric key 127. As contemplated herein,the term “establish a symmetric key” can comprise either (i) sending orreceiving the symmetric key 127 using an asymmetric ciphering algorithm141 a and PKI keys, or (ii) sending or receiving data for a keyderivation function 141 f such that a symmetric key 127 (possibly in theform of a derived shared key 129 b) could be determined from the datasent or received for the key derivation function 141 f.

At a step 1009, a module 101 can send a message 208 that includes amodule encrypted data 403, where the module encrypted data 403 isciphered using the second symmetric key 127. The second symmetric key127 (or values for a key derivation function 141 f to determine thesecond symmetric key 127) could be sent or received in a prior step1008. The module encrypted data 403 using the second symmetric key 127could include a server instruction 414, sensor data 305, a timestamp604, and a security token 401. Security token 401 and timestamp 604 canprevent replay attacks. If a timestamp 604 is included in a moduleencrypted data 403, then a security token 401 could optionally beomitted in a step 1009. The message 208 in a step 1009 could containdata for a message 208 as depicted and described in connection with FIG.6. The module identity 110 could comprise an encrypted module identity110 a, although the module identity 110 could also be sent as plaintextor as a session identity such that the session identity (or temporarymodule identity 110) within a message 208 at a step 1009 can change overtime but also be uniquely associated with a module identity 110persistently associated with a module 101.

FIG. 11

FIG. 11 is a graphical illustration for a module and a network tomutually derive a shared secret key K, in accordance with exemplaryembodiments. As described in FIG. 9b , exemplary embodiments of thepresent invention can utilize a combination of an embedded UICC 163 witha module 101's derivation of a module private key 112 and module publickey 111 in order to obtain a shared secret network key K 129 d, suchthat shared secret network key K 129 d can be utilized with existingand/or legacy mobile network operator infrastructure, including at leastone of a plurality of wireless networks 102. The shared secret networkkey K 129 d depicted and described in this FIG. 11 could comprise theshared secret key K used by a module 101 to authenticate andencrypt/decrypt data with a PLMN such as, but not limited to, mobilenetwork operator networks of AT&T® and Verizon® that utilize LTEwireless WAN technology in 2013, and future networks as well thatutilize a shared secret key K.

The eUICC 163 in a module 101 illustrated in FIG. 1c could utilize aplurality of received eUICC profiles 311 in order to connect withmultiple different wireless networks 102 without roaming (i.e. use anactivated eUICC profile 313 with a corresponding activated MNO networkaccess credentials 314 for different wireless networks 102 that a module101 connects with). An activated eUICC profile 313 could be utilized toconnect with several different base stations 103 across a widegeographical area that are associated with the same mobile networkoperator 108. A different connection to a second wireless network 102could be associated with a different mobile network operator 108 thatutilizes different network access credentials 314 for a differentactivated eUICC profile 313.

As illustrated in FIG. 11, a module 101 could utilize a module key Kderivation algorithm 909 in order to derive a secret shared network keyK 129 d in order connect and/or authenticate with a wireless network 102operated by a mobile network operator 108, and the wireless network 102could utilize a network key K derivation algorithm 1101 in order toshare a common key K and support communication with a module 101. Inthis manner, a module 101 can utilize an eUICC 163 to share a key K witha network 102 without requiring (i) the physical distribution of ashared secret key K as specified and contemplated in current ETSIstandards as of 2013, such as contemplated in 3GPP TS 33.401 V12.9.0 andrelated standards for a physical SIM or UICC or (ii) the electronicdistribution of a shared secret key K as contemplated in ETSI TS 103 383V12.0.0 and related standards for an eUICC. Future modules 101, wirelessnetworks 102, and MNOs 108 could incorporate or support the internalderivation of a secret shared network key K 129 d in order for a module101 and a mobile network operator 108 to obtain the same shared key Kwithout requiring the electronic transmission or physical distributionof a shared secret key K.

A module key K derivation algorithm 909 can comprise a series of stepsand logic to input at least (i) a derived module private key 1102, and(ii) a key K network token 1102 and output at least a derived secretshared network key K 129 d. The format and/or data for a key K networktoken 1102 as one input into a key derivation function 141 f within amodule key K derivation algorithm 909 can depend on the key derivationfunction 141 f and embodiments for a key K network token 1102, which aredescribed below. The secret shared network key 129 d can be fullycompatible with existing and/or future mobile network standards thatutilize a shared secret key K, such that module 101 and MNO 108 coulduse the mutually derived secret shared network key K 129 d for allnecessary steps in order to establish authenticated and securedcommunication with a wireless network 102.

A subset of the steps for using conventional technology with a key K inboth authentication of a module 101 and deriving session keys forencryption are depicted and described in connection with FIG. 9 b,including (i) a step 910 of processing a RES 913 in response to a RAND912 received by module 101, (ii) a step 911 of deriving a cipher key CK914 using the RAND 912 and the derived secret shared network key K 129d, and also (iii) deriving additional keys using the RAND 912 and a keyK, such as, but not limited to, values for an integrity key (IK), Kasme,Knasenc, Knasint, Kenb, and/or Kupenc. In other words, conventionaltechnology contemplated using a pre-shared secret key K for the varioussteps listed in the prior sentence, but the present inventioncontemplates using a mutually derived secret shared network key K 129 din order to perform the same steps (and thus the present inventionsupports widely deployed wireless networks 102 and also future plannednetworks that continue to use a key K). In the present invention, aderived secret shared network key K 129 d could be used to process orderive additional keys using a RAND 912, such as using a step 911 inFIG. 9b . The derived additional keys could comprise symmetric keys 127for use with symmetric ciphering algorithms 141 b such as, but notlimited to, an AES 155 ciphering. A module 101 could also use derivedsecret shared network key K 129 d illustrated in a module key Kderivation algorithm 909 with future wireless networks 102 that utilizedifferent symmetric keys 127 than those listed above within thisparagraph, where the different symmetric keys 127 are also derived froma shared secret key K.

The derived module private key 112 used for input by a module 101 in amodule key K derivation algorithm 909 can be derived using a step 515 asdepicted and described in connection with FIG. 5b and/or FIG. 7, or aprofile activation step 316 as depicted and described in connection withFIG. 3b , FIG. 5b , and/or FIG. 7. Module 101 could use at least a setof cryptographic algorithms 141, a key pair generation algorithm 141 e,a random number generator 128, and a set of cryptographic parameters 126to process or derive the module private key 112. Although notillustrated in FIG. 11, module 101 could also derive a correspondingmodule public key 111 as well. The derived module private key 112 couldutilize or be associated with an RSA algorithm 153 or an ECC algorithm154, and the use of a set of cryptographic algorithms 141 for a moduleprivate key 112 can be specified in the set of cryptographic parameters126 or a subset of cryptographic parameters 126 a. An exemplary set ofcryptographic parameters 126 and an exemplary subset of cryptographicparameters 126 a are depicted and described in connection with FIG. 1iand additional Figures herein. The subset of cryptographic parameters126 a illustrated in FIG. 11 could comprise a set of cryptographicparameters 126. An exemplary set of cryptographic algorithms 141,including a key derivation function 141 f, are depicted and described inconnection with FIG. 1d , FIG. 1i , and other Figures herein.

In exemplary embodiments, including the embodiments illustrated in FIG.11, the set of cryptographic parameters 126 for a key derivationfunction 141 f in a module key K derivation algorithm 909 could berecorded in a received eUICC profile 311. Alternatively, the set ofcryptographic parameters 126 could be recorded in an eUICC 163, or theset of cryptographic parameters 126 could be shared between a receivedeUICC profile 311 and an eUICC 163. The set of cryptographic algorithms141, including (i) a key pair generation algorithms 141 e used toprocess the module private key 112 in FIG. 11, and (ii) a key derivationfunction 141 f used in algorithm 909 in FIG. 11, could be recorded in aneUICC 163, or a module program 101 i, or shared between an eUICC 163 anda module program 101 i. In exemplary embodiments, (i) the set ofcryptographic algorithms 141, including key pair generation algorithms141 e and key derivation function 141 f, (ii) the eUICC 163, (iii) theset of cryptographic parameters 126, and (iv) module key K derivationalgorithm 909 can be recorded in a nonvolatile memory, such as, but notlimited to, a nonvolatile memory 101 w. In this manner, module 101 canstore the algorithms and values when the module 101 is in a dormant orpowered-off state. Other possibilities exist as well without departingfrom the scope of the present invention for the use and location of aset of cryptographic parameters 126 and a set of cryptographicalgorithms 141 for (i) deriving a module private key 112 for a module101 and (ii) utilizing a module key K derivation algorithm 909, withoutdeparting from the scope of the present invention.

As illustrated in FIG. 11, the derived module private key 112 and key Knetwork token 1102 can be input into a key derivation function 141 f.The key derivation function 141 f can use a subset of cryptographicparameters 126 a and the inputs in order to output a derived sharedsecret key 129 b. The use and function of a key derivation function 141f, as well as a derived shared secret key 129 b is also depicted anddescribed in connection with FIG. 1d above. A key derivation function141 f in a module key K derivation algorithm 909 could comprise any of(i) a Diffie-Hellman key exchange, (ii) an ANSI-X.9.63 160 keyderivation where an ECC algorithm is used with derived module privatekey 112, (iii) an ECDH 159 key derivation when an ECC algorithm is usedwith derived module private key 112, (iv) an ANSI-X.9.42 key derivation,or (v) similar and related algorithms for the derivation of a sharedsecret key 129 b using a private key and a subset of cryptographicparameters 126 a.

For an embodiment illustrated in FIG. 11, a key derivation function 141f could use a Diffie-Hellman key exchange where the subset ofcryptographic parameters 126 a includes a multiplicative group ofintegers modulo p, where p is prime, and g is a primitive root mod p. Inexemplary embodiments, p can be sufficiently large, such as, but notlimited to, and exemplary prime number of at least 250 digits, and g canbe a small number, such as, but not limited to, the number 5. In thisembodiment where a key derivation function 141 f within a module key Kderivation algorithm 909 uses a Diffie-Hellman key exchange, the key Knetwork token 1102 could comprise a value received from network 102associated with network private key 165 a. In a Diffie-Hellman keyexchange, key K network token 1102 could comprise a value equal tog{circumflex over ( )}b mod p, where b equals the network private key165 a. Key K network token 1102 could be received by module 101 fromnetwork 102 either (i) after an authentication step 907 in FIG. 9b usingan initial key K 325, or (ii) key K network token 1102 could be recordedwithin a received eUICC profile 311 and module 101 could receive key Knetwork token 1102 via a system bus 101 d. Key K network token 1102could also be received by module 101 in other steps as well, such as,but not limited to, a step 519, a step 607, and/or a step 707. As notedabove in this FIG. 11, the subset of cryptographic parameters 126 a ofp, g for a Diffie-Hellman key exchange can also be written to a receivedeUICC profile 311.

For another embodiment illustrated in FIG. 11, a key derivation function141 f could use an ECDH 159 key exchange with elliptic curvecryptography, where the subset of cryptographic parameters 126 aincludes a common base point G. An ECDH 159 with common base point G isalso described in FIG. 1d . For this embodiment of a key derivationfunction 141 f in a module key K derivation algorithm 909, moduleprivate key 111 and module public key 112 could comprise keys processedwith an ECC algorithm 154, and module 101 could likewise derive themodule PKI keys using a step 515 or a step 316. Key K network token 1102could comprise a network public key 165 b. The network private key 165 aand network public key 165 b could also be processed with an ECCalgorithm 154 using the same or equivalent elliptic curve as module PKIkeys. Key K network token 1102 could be received by module 101 fromnetwork 102 either (i) after an authentication step 907 using initialkey K 325, or (ii) key K network token 1102 could be recorded within areceived eUICC profile 311 and module 101 could receive key K networktoken 1102 via a system bus 101 d. Key K network token 1102 could alsobe received by module 101 in other steps as well, such as, but notlimited to, a step 519, a step 607, and/or a step 707

Other possibilities exist as well for the use of a key derivationfunction 141 f and a subset of cryptographic parameters 126 a within amodule key K derivation algorithm 909 without departing from the scopeof the present invention. Note a key exchange or a key derivationalgorithm 141 f other than (i) Diffie Hellman and/or (ii) ECDH 159 couldutilize a different subset of cryptographic parameters 126 a. Forembodiments where a different algorithm than Diffie Hellman or ECDH 159is utilized for a key derivation function 141 f in a module key Kderivation algorithm 909, then (i) a different subset of cryptographicparameters 126 a and (ii) different or additional data than thatdepicted in FIG. 11 could be utilized as well. With a differentalgorithm for a key derivation function 141 f used in a module key Kderivation algorithm 909, in exemplary embodiments the key derivationfunction 141 f could utilize as a minimum input of a derived moduleprivate key 112 and a key K network token 1102. Key K network token 1102for this alternative embodiment could represent data for the keyderivation function 141 f that is different than the exemplary valuesfor a key K network token 1102 described above with Diffi-Hellman orECDH 159 for the key derivation function 141 f.

In an exemplary embodiment, the use of a module private key 112 inputinto a key derivation function 141 f within a module key K derivationalgorithm 909 could be optionally omitted, and the derived shared secretkey 129 b within a module key K derivation algorithm 909 could comprisea shared secret key 129 c processed with a shared secret algorithm 141g, using a set of component parameters 101 t. As noted above inconnection with FIG. 1f and FIG. 1g , a shared secret key 129 c can bederived without input of data from a network 102 into the shared secretalgorithm 141 g, and thus in an exemplary embodiment module 101 couldcalculate a derived shared secret key 129 b within a module key Kderivation algorithm 909 without inputting data received from wirelessnetwork 102 into the key derivation function 141 f. In other words,module 101 could use a shared secret key 129 c as a derived sharedsecret key 129 b in order to derive a shared secret network key K 129 dwithout receiving data from wireless network 102. An algorithm token 190for use with a shared secret algorithm 141 g in a module key Kderivation algorithm 909 can be included in a subset of cryptographicparameters 126 a.

In preferred embodiments, a module key K derivation algorithm 909 and anetwork key K derivation algorithm 1101 can utilize the same or relatedkey derivation functions 141 f and the same or related subsets ofcryptographic parameters 126 a in order to obtain the same or equalvalue for the derived shared secret key 129 b. In another embodiment, akey K network token 1102 for the key derivation function 141 f that isdifferent than Diffi Hellman or ECDH 159 could comprise a shared secretkey 129 c processed with a shared secret algorithm 141 g, using a set ofcomponent parameters 101 t.

In an exemplary embodiment, module 101 could derive a first moduleprivate key 112, where the first module private key 112 may optionallynot be associated with a corresponding module public key 111. For thisexemplary embodiment, module 101 could optionally derive a second moduleprivate key 112 that is associated with a corresponding module publickey 111, and the second module private key 112 and corresponding modulepublic key 111 could comprise a module PKI key pair 315. The derivationof a module PKI key pair 315 could optionally be omitted and stillutilize the module key K derivation algorithm 909 illustrated in FIG.11. The first module private key 112 that is not associated with acorresponding module public key 111 could be utilized as the derivedmodule private key 112 input into a key derivation function 141 f withina module key K derivation algorithm 909. In this embodiment where thefirst module private key 112 that is not associated with a correspondingmodule public key 111 is utilized in a module key K derivation algorithm909, then key K module token 1103 below in a network key K derivationalgorithm 1101 can be data associated with the first module private key112 as described in this paragraph as opposed to a first module publickey 111 (since the first module public key 111 can be optionallyomitted).

The output of a key derivation function 141 f in a module key Kderivation algorithm 909 can be a number comprising a derived sharedsecret key 129 b, which is also depicted and described in connectionwith FIG. 1d and FIG. 1c . In exemplary embodiments, the use of a keyderivation function 141 f such as, but not limited to, a Diffie Hellmankey exchange or ECDH 159, can output a key that is a different lengththan a key K for a wireless network 102 (or key Ki for use with 3Gnetworks). As currently specified in ETSI/3GPP standards for LTEnetworks, the shared secret key K, (i) recorded in a SIM or UICC, and aMNO 108 HSS, and (ii) described in 3GPP TS 33.401 V12.9.0 and relatedstandards, comprises a random number with a length of 128 bits. Thelength of key K for standards-based wireless networks 102 may beextended in the future. The use of shared secret key K forauthentication of a module 101, and also for ciphering and dataintegrity, with a wireless network 102 that implements ETSI and/or 3GPPstandards is also defined in the specifications ETSI TS 135 205-209 andrelated standards.

A key processing algorithm 141 i within a module key K derivationalgorithm 909 can (i) use as input the output of the key derivationfunction 141 f in the form of a derived shared secret key 129 b, and(ii) transform the derived shared secret key 129 b into a number that is128 bits in length (or other key lengths for key K supported by wirelessnetwork 102). In an exemplary embodiment, (i) the length of derivedmodule private key 112, (ii) the length of parameters 126 a, and (iii)an algorithm for key derivation function 141 f in a module key Kderivation algorithm 909 are selected such that the length of derivedshared secret key 129 b can be greater than the length of key Kspecified for wireless network 102. In this embodiment, the keyprocessing algorithm 141 i can take steps to (i) truncate derived sharedsecret key 129 b, (ii) select a subset of bits within derived sharedsecret key 129 b, and/or (iii) take steps to securely and/or randomlyreduce the size of derived shared secret key 129 b to match the keylength of key K specified for wireless network 102. In exemplaryembodiments, the key processing algorithm 141 i within a module key Kderivation algorithm 909 (or at least cryptographic parameters 126 forthe key processing algorithm 141 i in a module key K derivationalgorithm 909) can be included in a received eUICC profile 311.

For embodiments where the derived shared secret key 129 b in a modulekey K derivation algorithm 909 can be less than the key length of key Kspecified for wireless network 102, then key processing algorithm 141 ican perform a key lengthening function, such as, but not limited to,using a secure hash algorithm 141 c with input of at least the derivedshared secret key 129 b. The secure hash algorithm 141 c could beselected such that the length of output of the secure hash algorithm 141c matches the length of key K specified for wireless network 102. Thesecure hash algorithm 141 c for use in a module key K derivationalgorithm 909 could be specified in a set of cryptographic parameters126. Other possibilities exist as well for a key processing algorithm141 i to lengthen a derived shared secret key 129 b without departingfrom the scope of the present invention.

In an exemplary embodiment where the length of key K specified forwireless network 102 in the future equals 256 bits, key processingalgorithm 141 i could comprise an SHA-256 156 algorithm, such that theoutput of key processing algorithm 141 i comprises a number with 256bits in length, with input using a derived shared secret key 129 b thatcould comprise a number less than, equal to, or greater than a length of256 bits, and other possibilities for a key processing algorithm 141 iexists as well. In exemplary embodiments, key processing algorithm 141 iincludes a secure hash algorithm 141 c, such that the derived sharedsecret key 129 b in a module key K derivation algorithm 909 is inputinto the secure hash algorithm 141 c. Although not illustrated in FIG.1d above, a key processing algorithm 141 i could be included in a set ofcryptographic algorithms 141.

As depicted in FIG. 11, the output of key processing algorithm 141 iwithin a module key K derivation algorithm 909 can comprise a sharedsecret network key K 129 d. A shared secret network key K 129 d is alsodescribed in a step 909 depicted and described in connection with FIG.9b . Upon deriving the shared secret network key K 129 d, module 101could record the value in either an activated eUICC profile 313 or alsopossibly a received eUICC profile 311 (where the received eUICC profile311 is not activated) within an eUICC 163. A wireless network 102 couldutilize a network key K derivation algorithm 1101 in order to securelyobtain the same value for shared secret network key K 129 d. Module 101and/or an eUICC 163 could then utilize the shared secret network key K129 d to connect with and/or authenticate with a wireless network 102using the steps 910 and 911 depicted and described in connection withFIG. 9b . In exemplary embodiments, module 101 and wireless network 102could utilize the shared secret network key K 129 d with the algorithmsspecified in ETSI TS 135 205-209, as well as subsequent and relatedstandards, in order for module 101 to authenticate and/or connect withwireless network 102. Other possibilities exist as well withoutdeparting from the scope of the present invention.

A network key K derivation algorithm 1101 can be used by a wirelessnetwork 102 in order to derive a secret shared network key K 129 d thatis the same or equals the derived secret shared network key K 129 dprocessed by a module 101 using a module key K derivation algorithm 909.In this manner, wireless network 102 and module 101 can both utilize thesame, derived secret shared network key K 129 d for communication. Thecommonly shared secret shared network key K 129 d can be used by bothmodule 101 and wireless network 102/mobile network operator 108 for (i)authentication and (i) the subsequent derivation of additional symmetrickeys 127, where the additional symmetric keys 127 could be derived froma key derivation function 141 f (where a key derivation function 141 fwould be used to derive symmetric keys 127 in the form of derived sharedsecret keys 129 b in a manner illustrated in FIG. 1d that can bedifferent than the use of a key derivation function 141 f illustrated inFIG. 11).

A server 105 as depicted and described in connection with FIG. 1k andFIG. 1m could reside in the network for a mobile network operator 108,where the wireless network 102 as illustrated in FIG. 1a could comprisea radio access segment for the mobile network operator 108. The server105 could also be part of a set of servers 1010, and the set of servers1010 could also be within a network for a mobile network operator. Theserver 105 or set of servers 1010 could utilize the components depictedand described in connection with FIG. 1k and FIG. 1m in order to processand/or perform a network key K derivation algorithm 1101, includingusing (i) a storage 105 m to record the key derivation function 141 fand associated cryptographic parameters 126, (ii) a processor 105 b toperform calculations in order to implement the key derivation function141 f, (iii) a system bus 105 d in order to move data from storage intoa RAM 105 e for further processing, (iv) a physical interface 105 a suchas Ethernet to send and receive data, and (v) a module database 105 k torecord a network module identity 101 b and a shared secret network key K129 d for each of a plurality of modules 101 that could connect to awireless network 102. In exemplary embodiments, a home subscriber server(HSS) within an LTE network and subsequent, related networks includingwireless networks based on LTE Advanced could operate or process anetwork key K derivation algorithm 1101, and the HSS could also functionas a server 105 or a set of servers 1010 as contemplated herein.

A network key K derivation algorithm 1101 operating on a server 105,HSS, and/or set of servers 1010 can include a key derivation function141 f and a key processing algorithm 141 i. The key derivation function141 f within a network key K derivation algorithm 1101 can be equivalentor the same algorithm as a key derivation function 141 f used within amodule key K derivation algorithm 909, as depicted and described inconnection with this FIG. 11 above. As illustrated in FIG. 11, (i) anetwork private key 165 a and (ii) a module key K token 1103 can beinput into a key derivation function 141 f within a network key Kderivation algorithm 1101. The key derivation function 141 f can use asubset of cryptographic parameters 126 a and the input in order tooutput a derived shared secret key 129 b. For an embodiment illustratedin FIG. 11, a key derivation function 141 f in a network key Kderivation algorithm 1101 could use a Diffie-Hellman key exchange wherethe subset of cryptographic parameters 126 a includes a multiplicativegroup of integers modulo p, where p is prime, and g is a primitive rootmod p. In this embodiment where a key derivation function 141 f within anetwork key K derivation algorithm 1101 uses a Diffie-Hellman keyexchange (or similar key exchange protocols), the key K module token1103 could comprise a value received from module 101 associated withmodule private key 112. The set of servers 1010 could receive the key Kmodule token 1103 in a step 908 in FIG. 9b or a step 516 in FIG. 5b ,and other possibilities exist as well for a server 1010 to receive thekey K module token 1103.

In a Diffie-Hellman key exchange for a key derivation function 141 fwithin a network key K derivation algorithm 1101, key K module token1103 could comprise a value equal to g{circumflex over ( )}a mod p,where a equals the module private key 112. Key K module token 1103 couldbe received from module 101 after an authentication step 907 usinginitial key K 325, and other possibilities exist as well withoutdeparting from the scope of the present invention. The subset ofcryptographic parameters 126 a of p, g for a Diffie-Hellman key exchangewith a module 101 using a network module identity 101 b can also bewritten to a module database 105 k and also the received eUICC profile311. In exemplary embodiments, a module database 105 k can also record aplurality of received eUICC profiles 311 for a plurality of modules 101,where each module 101 uses either module identity 110 or network moduleidentity 101 b. In exemplary embodiments a different subset ofcryptographic parameters 126 a for a key derivation function 141 f in anetwork key K derivation algorithm 1101 can be used for each module 101in order to increase security.

For another embodiment illustrated in FIG. 11, a key derivation function141 f could use an ECDH 159 key exchange with elliptic curvecryptography, where the subset of cryptographic parameters 126 aincludes a common base point G. For this embodiment where a keyderivation function 141 f in a network key K derivation algorithm 1101comprises an ECDH 159 key exchange, network private key 165 a andnetwork public key 165 b could comprise keys processed with an ECCalgorithm 154. A server 105 or set of servers 1010 could derive thenetwork private key 165 a and network public key 165 b using a key pairgeneration algorithm 141 e. Key K module token 1103 could comprise amodule public key 111, where the module private key 112 and modulepublic key 111 could also be processed with an ECC algorithm 154 usingthe same or elliptic curve as the network PKI keys 165 a and 165 b. KeyK module token 1103, in the form of a module public key 111 with an ECDH159 for a key derivation function 141 f in a network key K derivationalgorithm 1101, could be received from module 101 after anauthentication step 907 using an initial key K 325. Other possibilitiesexist as well for the use of a key derivation function 141 f, key Kmodule token 1103, and a subset of cryptographic parameters 126 a both(i) within a network key K derivation algorithm 1101 and (ii) to derivea shared secret network key K 129 d without departing from the scope ofthe present invention.

In an exemplary embodiment, the use of a network private key 165 a inputinto a key derivation function 141 f within a network key K derivationalgorithm 1101 could be optionally omitted, and the derived sharedsecret key 129 b within a network key K derivation algorithm 1101 couldcomprise a shared secret key 129 c processed with a shared secretalgorithm 141 g, using a set of component parameters 101 t. As notedabove in connection with FIG. 1f and FIG. 1g , a shared secret key 129 ccan be derived without input of data from a module 101 into the sharedsecret algorithm 141 g, and thus in an exemplary embodiment MNO 108could calculate a derived shared secret key 129 b within a network key Kderivation algorithm 1101 without inputting data received from module101 into the key derivation function 141 f. In other words, MNO 108(using a server 105) could use a shared secret key 129 c as a derivedshared secret key 129 b in a network key K derivation algorithm 1101 inorder to derive a shared secret network key K 129 d without receivingdata from module 101. An algorithm token 190 for use with a sharedsecret algorithm 141 g in a network key K derivation algorithm 1101 canbe included in a subset of cryptographic parameters 126 a, and thesubset of cryptographic parameters 126 a could be included in thereceived eUICC profile 311 for a module 101. An HSS for a network 102could process or create information for the received eUICC profile 311.As depicted and described in connection with FIG. 1f , (i) a server 105,which could be operated by MNO 108, or (ii) MNO 108 could calculateshared secret key 129 c using component parameters 101 t for a module101 with module identity 110 in a module database 105 k.

For embodiments that do not use a shared secret key 129 c in a networkkey K derivation algorithm 1101, the output of a key derivation function141 f in a network key K derivation algorithm 1101 can be a number orstring comprising a derived shared secret key 129 b, which is alsodepicted and described in connection with FIG. 1d and FIG. 1c . Thederived shared secret key 129 b in a network key K derivation algorithm1101 can be the same or equivalent for a derived shared secret key 129 bas described in a module key K derivation algorithm 909. The sub-stepsand description for a derived shared secret key 129 b in a module key Kderivation algorithm 909 can apply for a derived shared secret key 129 bin a network key K derivation algorithm 1101.

A key processing algorithm 141 i within a network key K derivationalgorithm 1101 can take the same or equivalent steps as described for akey processing algorithm 141 i within a module key K derivationalgorithm 909 described above in this FIG. 11. For embodiments where thederived shared secret key 129 b can be less than the key length of key Kspecified for wireless network 102, then key processing algorithm 141 ican perform a key lengthening function, such as, but not limited to,using a secure hash algorithm 141 c with at least input of the derivedshared secret key 129 b. The secure hash algorithm 141 c could beselected such that the length of output of the secure hash algorithm 141c matches the length of key K specified for wireless network 102. Thesecure hash algorithm 141 c for use in a network key K derivationalgorithm 1101 could be specified in a set of cryptographic parameters126. For embodiments where the length of derived shared secret key 129 bin a network key K derivation algorithm 1101 can be greater than thelength of key K specified for wireless network 102, the key processingalgorithm 141 i can take steps to (i) truncate derived shared secret key129 b, (ii) select a subset of bits within derived shared secret key 129b, and/or (iii) take steps to securely and/or randomly reduce the sizeof derived shared secret key 129 b to match the key length of key Kspecified for wireless network 102. In exemplary embodiments, keyprocessing algorithm 141 i includes a secure hash algorithm 141 c, suchthat the derived shared secret key 129 b in a network key K derivationalgorithm 1101 is input into the secure hash algorithm 141 c in order tooutput the secret shared network key K 129 d.

In exemplary embodiments, the key processing algorithm 141 i for anetwork key K derivation function 1101 can take the same or equal valuefor a derived shared secret key 129 b in a module key K derivationfunction 909 and output the same or equal value for shared secretnetwork key K 129 d. One difference between a key processing algorithm141 i for a network key K derivation function 1101 and a a keyprocessing algorithm 141 i for a module key K derivation function 909 isthat the a key processing algorithm 141 i for a network key K derivationfunction 1101 can optionally include logic to detect a “collision”,where the shared secret network key K 129 d may already be used by adifferent module 101 using a different module identity 110 or networkmodule identity 110 b. In this case of a “collision” network 102 couldtake steps such as (i) requesting the module 101 derive a new anddifferent shared secret key 129 b (which could involve the use of adifferent random number 128 a by module 101), or (ii) network 102 couldtake steps such that the same shared secret network key K 129 d (in thecase of a “collision) could be supported by two different modules 101using two different module identities 110 or network module identities110 b.

As depicted in FIG. 11, the output of key processing algorithm 141 iwithin a network key K derivation algorithm 1101 can comprise a sharedsecret network key K 129 d. A shared secret network key K 129 d is alsodescribed in a step 909 depicted and described in connection with FIG.9b . Upon deriving the shared secret network key K 129 d, MNO 108, usinga server 105 or set of servers 1010 could record the value in within amodule database 105 k. The module database 105 k could reside within anHSS or similar servers for an LTE and related networks. A module 101could utilize a module key K derivation algorithm 909 in order tosecurely obtain the same value for shared secret network key K 129 d.MNO 108 and wireless network 102 could then utilize the shared secretnetwork key K 129 d to connect with and/or authenticate a module 101using the steps for a network in steps 910 and 911 depicted anddescribed in connection with FIG. 9b . In exemplary embodiments, module101 and wireless network 102 could utilize the shared secret network keyK 129 d with the algorithms specified in ETSI TS 135 205-209, as well assubsequent and related standards, in order for module 101 toauthenticate and/or connect with wireless network 102. Otherpossibilities exist as well without departing from the scope of thepresent invention.

CONCLUSION

Various exemplary embodiments have been described above. Those skilledin the art will understand, however, that changes and modifications maybe made to those examples without departing from the scope of theclaims.

What is claimed is:
 1. A module with an embedded Universal IntegratedCircuit Card (eUICC) comprising: (a) at least one processor; and (b) amemory operatively connected to the at least one processor, the memoryincluding processor executable code that, when executed by the at leastone processor, performs the steps of: (1) recording, in the memory ofthe module, (i) a module public key and a corresponding module privatekey, (ii) a pre-shared secret key, (iii) a set of cryptographicparameters, and (iv) a module identity, (2) generating, by the module,module encrypted data associated with a first set of servers using thepre-shared secret key which is also separately accessible by the firstset of servers, wherein the module encrypted data includes at least aportion of the set of cryptographic parameters; (3) storing, by themodule in the memory, a network public key, wherein the network publickey is associated with (i) a second set of servers and (ii) a networkprivate key; (4) generating, by the module in the memory, a mutuallyderived shared key using Elliptical Curve Diffie Hellman, wherein themutually derived shared key is derived by the module based on at least:(i) the module private key; and (ii) the network public key, wherein themutually derived shared key can be derived by the second set of serversbased on at least: (A) the module public key associated with the moduleprivate key; and (B) the network private key associated with the networkpublic key; (5) receiving from the second set of servers an encryptedprofile for the eUICC; and (6) decrypting the encrypted profile with themutually derived shared key in order to store network accesscredentials.
 2. The module of claim 1, wherein the memory is anonvolatile memory.
 3. The module of claim 1, wherein the memory is avolatile memory.
 4. The module of claim 1, wherein the processorexecutable code, when executed by the at least one processor, performs astep of sending the module encrypted data to the first set of servers.5. The module of claim 1, wherein the module comprises a wireless moduleadapted to communicate over a wireless network using a radio and anantenna.
 6. The module of claim 1, wherein the module comprises a sensorconfigured to collect data regarding a monitored unit.
 7. The module ofclaim 1, wherein the module comprises a controller configured to changea state of an actuator associated with a monitored unit.
 8. The moduleof claim 1, wherein the module comprises a wired communication moduleadapted to connect to a network over a wired connection.
 9. The moduleof claim 1, wherein the set of cryptographic parameters comprisesettings for one or more cryptographic algorithms.
 10. The module ofclaim 9, wherein the one or more cryptographic algorithms includes anElliptic Curve Integrated Encryption Scheme.
 11. The module of claim 1,wherein the module encrypted data includes only the portion of the setof cryptographic parameters.
 12. The module of claim 1, wherein themodule encrypted data includes all cryptographic parameters of the setof cryptographic parameters.
 13. The module of claim 1, wherein thesecond set of servers comprises one server.
 14. The module of claim 1,wherein the second set of servers comprises a plurality of servers. 15.The module of claim 1, wherein the processor executable instructions,when executed by the at least one processor, perform a step of: (h)connecting to a wireless network using a decrypted profile for theeUICC, wherein the decrypted profile is provided in step (b)(6) andincludes the network access credentials, and wherein the network accesscredentials include at least a key K and a network module identity.